Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2c6HNWVywp.exe

Overview

General Information

Sample name:2c6HNWVywp.exe
renamed because original name is a hash value
Original sample name:1cea2e1892ef23d3a26c3c00ba38db8e54e6fa520681f8fa49d0d21350d86ffa.exe
Analysis ID:1555001
MD5:e121092ae5eef25b54cc9f8cf9401dbf
SHA1:4dea659e2b2f67d0bfcba61fb3e41c2595d1a46b
SHA256:1cea2e1892ef23d3a26c3c00ba38db8e54e6fa520681f8fa49d0d21350d86ffa
Tags:ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score:13
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • 2c6HNWVywp.exe (PID: 7976 cmdline: "C:\Users\user\Desktop\2c6HNWVywp.exe" MD5: E121092AE5EEF25B54CC9F8CF9401DBF)
    • msiexec.exe (PID: 7404 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\2c6HNWVywp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488998 " AI_EUIMSI="" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 8180 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7260 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C17C6E88C2AC26D77232308596BFC404 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 1624 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 48383DF6A2E73543A85DB9345F606A15 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-13T10:12:24.820400+010020229301A Network Trojan was detected4.175.87.197443192.168.2.1049773TCP
2024-11-13T10:13:03.649016+010020229301A Network Trojan was detected4.175.87.197443192.168.2.1049974TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 2c6HNWVywp.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: 2c6HNWVywp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmp, shiFAD5.tmp.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: 2c6HNWVywp.exe, decoder.dll.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFF2E.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFF2E.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, Installer.msi.5.dr
Source: Binary string: wininet.pdbUGP source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmp, shiFAD5.tmp.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: 2c6HNWVywp.exe, decoder.dll.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: 2c6HNWVywp.exe
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003A43B0 FindFirstFileW,GetLastError,FindClose,5_2_003A43B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003C2380 FindFirstFileW,FindClose,5_2_003C2380
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002BA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,5_2_002BA950
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003C14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,5_2_003C14D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003A3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,5_2_003A3DE0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003AC0B0 FindFirstFileW,FindClose,FindClose,5_2_003AC0B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003BE3A0 FindFirstFileW,FindClose,5_2_003BE3A0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CE610 FindFirstFileW,FindClose,5_2_003CE610
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,5_2_003CB3D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CB7D0 FindFirstFileW,FindClose,5_2_003CB7D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003A3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,5_2_003A3A50
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003DFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,5_2_003DFB20
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,5_2_003CA620
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.10:49773
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.10:49974
Source: 2c6HNWVywp.exe, 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmp, 2c6HNWVywp.exe, 00000005.00000000.1275948020.00000000004B8000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: <Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: 2c6HNWVywp.exeString found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: shiFAD5.tmp.5.drString found in binary or memory: http://.css
Source: shiFAD5.tmp.5.drString found in binary or memory: http://.jpg
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shiFAD5.tmp.5.drString found in binary or memory: http://html4/loose.dtd
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.drString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0O
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://t2.symcb.com0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://tl.symcd.com0&
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: https://www.advancedinstaller.com
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: https://www.digicert.com/CPS0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: https://www.thawte.com/cps0/
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003E15E0 NtdllDefWindowProc_W,5_2_003E15E0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00361FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W,5_2_00361FB0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00300010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,5_2_00300010
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002B2250 NtdllDefWindowProc_W,5_2_002B2250
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002BC4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,5_2_002BC4F0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002B8720 NtdllDefWindowProc_W,5_2_002B8720
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002B8890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,5_2_002B8890
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00300BAA ShowWindow,ShowWindow,GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,5_2_00300BAA
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002AEBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,5_2_002AEBE0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00300C22 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,5_2_00300C22
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00300CE3 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,5_2_00300CE3
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002F6EE0 NtdllDefWindowProc_W,5_2_002F6EE0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002AF190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,5_2_002AF190
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002CD320 NtdllDefWindowProc_W,5_2_002CD320
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002C15F0 NtdllDefWindowProc_W,5_2_002C15F0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002B1670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,5_2_002B1670
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002AF7C0 NtdllDefWindowProc_W,5_2_002AF7C0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002B1C90 NtdllDefWindowProc_W,5_2_002B1C90
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00347F20 NtdllDefWindowProc_W,5_2_00347F20
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50fd66.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE6F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFECE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFEFE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF2E.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIFE6F.tmpJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002BA9505_2_002BA950
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003DB3505_2_003DB350
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003B7D705_2_003B7D70
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002C60705_2_002C6070
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002C41B05_2_002C41B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002BE2905_2_002BE290
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0043E2BE5_2_0043E2BE
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0043E64C5_2_0043E64C
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00382A505_2_00382A50
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00458B955_2_00458B95
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002B8CD05_2_002B8CD0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002A2F405_2_002A2F40
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002D52F05_2_002D52F0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0041D5505_2_0041D550
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002C35A05_2_002C35A0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002C76305_2_002C7630
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0037B7A05_2_0037B7A0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002FFA405_2_002FFA40
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0044DD6A5_2_0044DD6A
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00313FC05_2_00313FC0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: String function: 002D3810 appears 90 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: String function: 002A7070 appears 53 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: String function: 002A6FF0 appears 46 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: String function: 002A99C0 appears 69 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: String function: 0039E6D0 appears 60 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: String function: 002A8800 appears 223 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: String function: 002A9390 appears 41 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: String function: 0039E770 appears 31 times
Source: 2c6HNWVywp.exeBinary or memory string: OriginalFileName vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFileNameInstaller.exe4 vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exeBinary or memory string: OriginalFileNameInstaller.exe4 vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exeBinary or memory string: OriginalFilenameDecoder.dllF vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shiFAD5.tmp.5.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engineClassification label: clean13.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003A2230 FormatMessageW,GetLastError,5_2_003A2230
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CC990 GetDiskFreeSpaceExW,5_2_003CC990
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003E6D50 CoCreateInstance,5_2_003E6D50
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0033AB40 FindResourceW,LoadResource,LockResource,SizeofResource,5_2_0033AB40
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile created: C:\Users\user\AppData\Roaming\ConsolHQ LTDJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile created: C:\Users\user\AppData\Local\Temp\shiFAD5.tmpJump to behavior
Source: 2c6HNWVywp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 2c6HNWVywp.exe, 00000005.00000002.1407101921.0000000001475000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403575355.0000000001453000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403667113.0000000001473000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT `Instance`,`PropertyName`,`PropertyValue` FROM `MultipleInstancesProps`K;q
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile read: C:\Users\user\Desktop\2c6HNWVywp.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\2c6HNWVywp.exe "C:\Users\user\Desktop\2c6HNWVywp.exe"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C17C6E88C2AC26D77232308596BFC404 C
Source: C:\Users\user\Desktop\2c6HNWVywp.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\2c6HNWVywp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488998 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 48383DF6A2E73543A85DB9345F606A15
Source: C:\Users\user\Desktop\2c6HNWVywp.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\2c6HNWVywp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488998 " AI_EUIMSI=""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C17C6E88C2AC26D77232308596BFC404 CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 48383DF6A2E73543A85DB9345F606A15Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: lpk.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 2c6HNWVywp.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 2c6HNWVywp.exeStatic file information: File size 49189312 > 1048576
Source: 2c6HNWVywp.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00
Source: 2c6HNWVywp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2c6HNWVywp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2c6HNWVywp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2c6HNWVywp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2c6HNWVywp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2c6HNWVywp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 2c6HNWVywp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 2c6HNWVywp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmp, shiFAD5.tmp.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: 2c6HNWVywp.exe, decoder.dll.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFF2E.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFF2E.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, Installer.msi.5.dr
Source: Binary string: wininet.pdbUGP source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmp, shiFAD5.tmp.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: 2c6HNWVywp.exe, decoder.dll.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: 2c6HNWVywp.exe
Source: 2c6HNWVywp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2c6HNWVywp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2c6HNWVywp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2c6HNWVywp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2c6HNWVywp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: shiFAD5.tmp.5.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003A2350 LoadLibraryW,GetProcAddress,FreeLibrary,5_2_003A2350
Source: shiFAD5.tmp.5.drStatic PE information: section name: .wpp_sf
Source: shiFAD5.tmp.5.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_014070A5 push es; retf 5_3_014070A6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_014070A5 push es; retf 5_3_014070A6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_014070A5 push es; retf 5_3_014070A6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_014070A7 push es; iretd 5_3_014070B2
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_014070A7 push es; iretd 5_3_014070B2
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_014070A7 push es; iretd 5_3_014070B2
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_3_014070A5 push es; retf 5_3_014070A6
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFECE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFEFE.tmpJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFC10.tmpJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dllJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFB63.tmpJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile created: C:\Users\user\AppData\Local\Temp\shiFAD5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF2E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE6F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFECE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFEFE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF2E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE6F.tmpJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFECE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFEFE.tmpJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFC10.tmpJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dllJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFB63.tmpJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiFAD5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFF2E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFE6F.tmpJump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exeEvaded block: after key decisiongraph_5-67425
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-69496
Source: C:\Users\user\Desktop\2c6HNWVywp.exeAPI coverage: 10.0 %
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3 FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003A43B0 FindFirstFileW,GetLastError,FindClose,5_2_003A43B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003C2380 FindFirstFileW,FindClose,5_2_003C2380
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002BA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,5_2_002BA950
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003C14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,5_2_003C14D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003A3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,5_2_003A3DE0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003AC0B0 FindFirstFileW,FindClose,FindClose,5_2_003AC0B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003BE3A0 FindFirstFileW,FindClose,5_2_003BE3A0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CE610 FindFirstFileW,FindClose,5_2_003CE610
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,5_2_003CB3D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CB7D0 FindFirstFileW,FindClose,5_2_003CB7D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003A3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,5_2_003A3A50
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003DFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,5_2_003DFB20
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,5_2_003CA620
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0043365A VirtualQuery,GetSystemInfo,5_2_0043365A
Source: Installer.msi.5.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: 2c6HNWVywp.exeBinary or memory string: VMci4
Source: 2c6HNWVywp.exeBinary or memory string: hgfS`
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0043AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043AD13
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003D77C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,5_2_003D77C0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003A2350 LoadLibraryW,GetProcAddress,FreeLibrary,5_2_003A2350
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0044C66D mov ecx, dword ptr fs:[00000030h]5_2_0044C66D
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0045783E mov eax, dword ptr fs:[00000030h]5_2_0045783E
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00435CA1 mov esi, dword ptr fs:[00000030h]5_2_00435CA1
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00435D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,5_2_00435D0D
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_002D21E0 __set_se_translator,SetUnhandledExceptionFilter,5_2_002D21E0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00436738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00436738
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_0043AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043AD13
Source: C:\Users\user\Desktop\2c6HNWVywp.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\2c6hnwvywp.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488998 " ai_euimsi=""
Source: C:\Users\user\Desktop\2c6HNWVywp.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\2c6hnwvywp.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488998 " ai_euimsi=""Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003CEAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,5_2_003CEAB0
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx,5_2_003C4050
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: GetLocaleInfoW,5_2_004541E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: GetLocaleInfoW,5_2_00450186
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_0045430F
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: GetLocaleInfoW,5_2_00454415
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_004544E4
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00453B80
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: EnumSystemLocalesW,5_2_0044FC09
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: GetLocaleInfoW,5_2_00453D7B
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: EnumSystemLocalesW,5_2_00453E6D
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: EnumSystemLocalesW,5_2_00453E22
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: EnumSystemLocalesW,5_2_00453F08
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00453F93
Source: C:\Users\user\Desktop\2c6HNWVywp.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003DBB20 CreateNamedPipeW,CreateFileW,5_2_003DBB20
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_004372F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_004372F4
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_003DA240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,5_2_003DA240
Source: C:\Users\user\Desktop\2c6HNWVywp.exeCode function: 5_2_00396BF0 RevokeBindStatusCallback,5_2_00396BF0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS11
Peripheral Device Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
Account Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials1
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1555001 Sample: 2c6HNWVywp.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 13 5 msiexec.exe 3 9 2->5         started        8 2c6HNWVywp.exe 40 2->8         started        file3 16 C:\Windows\Installer\MSIFF2E.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSIFEFE.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSIFECE.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSIFE6F.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shiFAD5.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSIFC10.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSIFB63.tmp, PE32 8->30 dropped 14 msiexec.exe 5 8->14         started        process4

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
2c6HNWVywp.exe0%ReversingLabs
2c6HNWVywp.exe3%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSIFB63.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIFB63.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSIFC10.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIFC10.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\shiFAD5.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll0%ReversingLabs
C:\Windows\Installer\MSIFE6F.tmp0%ReversingLabs
C:\Windows\Installer\MSIFECE.tmp0%ReversingLabs
C:\Windows\Installer\MSIFEFE.tmp0%ReversingLabs
C:\Windows\Installer\MSIFF2E.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.drfalse
    		high
    http://html4/loose.dtdshiFAD5.tmp.5.drfalse
      		high
      https://www.advancedinstaller.com2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drfalse
        		high
        https://www.thawte.com/cps0/2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drfalse
          		high
          http://.cssshiFAD5.tmp.5.drfalse
            		high
            http://.jpgshiFAD5.tmp.5.drfalse
              		high
              https://www.thawte.com/repository0W2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.drfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1555001
                Start date and time:2024-11-13 10:11:15 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 39s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:15
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:2c6HNWVywp.exe
                renamed because original name is a hash value
                Original Sample Name:1cea2e1892ef23d3a26c3c00ba38db8e54e6fa520681f8fa49d0d21350d86ffa.exe
                Detection:CLEAN
                Classification:clean13.winEXE@8/13@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 56%
                • Number of executed functions: 67
                • Number of non-executed functions: 222
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Temp\MSIFB63.tmpIM-vL5WWvBl.msiGet hashmaliciousUnknownBrowse
                  C:\Users\user\AppData\Local\Temp\shiFAD5.tmpsetup.exeGet hashmaliciousUnknownBrowse
                    setup.exeGet hashmaliciousUnknownBrowse
                      VirtualDesktop.Streamer.Setup.exeGet hashmaliciousUnknownBrowse
                        VirtualDesktop.Streamer.Setup.exeGet hashmaliciousUnknownBrowse
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            Step 3 - Setup_Install.exeGet hashmaliciousXmrigBrowse
                              http://downloads.ciscocems.com/downloads/CeDAR/Setup_Cedar%208.05.08.zipGet hashmaliciousUnknownBrowse
                                Bill Details.exeGet hashmaliciousUltraVNCBrowse
                                  Bill Details.exeGet hashmaliciousUltraVNCBrowse
                                    teracopy.exeGet hashmaliciousUnknownBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\MSIFB63.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\2c6HNWVywp.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:6144:PBtBN+l8CKvSHJSTHLntEToqi/9rpiAO+7lMhZeBajAt7fgcY:PB/0l1K7HLnt5DgMlgZ7AtDgcY
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: IM-vL5WWvBl.msi, Detection: malicious, Browse
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\MSIFC10.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\2c6HNWVywp.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):919520
                                      Entropy (8bit):6.451407326378623
                                      Encrypted:false
                                      SSDEEP:24576:1x90VXSK4fSa6HXr1iWn8Zlb2h4ntHurpllQ6a:Pq4Fb6HXr1iWnU84ntHurpllQ6a
                                      MD5:064278F42704CDCE52C8C527CF9AFBC7
                                      SHA1:007C2A1C946EB62886AC26ADFC7C6B41EECD4D41
                                      SHA-256:070155314AE1035E0A74729231EA97053744EC3B0D5E8D8AF0D000448924D5A9
                                      SHA-512:9D7AE27229317F07CFD051AB8A7E4E7AC4071593FB0329BFF21CFB812086CA00CFFEBBC950A4849C233D8B2EE3D306E9A3338415DEB48CEE09C5B94704A01A70
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...#S..#S..#S]. R..#S].&R;.#S.'R..#S. R..#S.&R..#S].'R..#S]."R..#S.."S..#S2.*R..#S2.#R..#S2..S..#S..S..#S2.!R..#SRich..#S........PE..L...P..b.........."!.....X...................p...............................@......{9....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\MSIff69.LOG

                                      Download File
                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):3.4248859055529355
                                      Encrypted:false
                                      SSDEEP:6:QmQlfuV3ecOYrsfc/okjxaaOEqQbr62avKpnKBlv2K84UlUlwll:QmQ1u9Zsc/7aFEVbr62aInKT8Jll
                                      MD5:DD384DCD1C622E68FC0BDA0970DF5553
                                      SHA1:43191FDF7BA232B4610702BCB428F969AC01975E
                                      SHA-256:B707A86A2582CAF4D45516D94BA916B9E5E99EB268DACA41F9E1AEB591F30FCD
                                      SHA-512:8A0932788D2217AF9FF5F59C633D52C161DC5D68992997568A979BF941CB6E7A43FA55F217249268C17A1944FC4583C17EAB46A16BB5A9A33671ED317AC02D82
                                      Malicious:false
                                      Reputation:low
                                      Preview:..C.o.n.s.o.l.e.H.Q. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .s.y.s.t.e.m.s. .w.i.t.h. .s.c.r.e.e.n. .r.e.s.o.l.u.t.i.o.n. .s.m.a.l.l.e.r. .t.h.a.n. .1.3.6.0. .x. .7.6.8.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.3./.1.1./.2.0.2.4. . .0.4.:.1.2.:.1.8. .=.=.=.....

                                      C:\Users\user\AppData\Local\Temp\shiFAD5.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\2c6HNWVywp.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):5038592
                                      Entropy (8bit):6.043058205786219
                                      Encrypted:false
                                      SSDEEP:49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
                                      MD5:11F7419009AF2874C4B0E4505D185D79
                                      SHA1:451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
                                      SHA-256:AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
                                      SHA-512:1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: setup.exe, Detection: malicious, Browse
                                      • Filename: setup.exe, Detection: malicious, Browse
                                      • Filename: VirtualDesktop.Streamer.Setup.exe, Detection: malicious, Browse
                                      • Filename: VirtualDesktop.Streamer.Setup.exe, Detection: malicious, Browse
                                      • Filename: file.exe, Detection: malicious, Browse
                                      • Filename: Step 3 - Setup_Install.exe, Detection: malicious, Browse
                                      • Filename: , Detection: malicious, Browse
                                      • Filename: Bill Details.exe, Detection: malicious, Browse
                                      • Filename: Bill Details.exe, Detection: malicious, Browse
                                      • Filename: teracopy.exe, Detection: malicious, Browse
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L*......N*.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi

                                      Download File
                                      Process:C:\Users\user\Desktop\2c6HNWVywp.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {3D2F3062-A70B-445E-8CE0-4683179903E0}, Number of Words: 0, Subject: ConsoleHQ, Author: ConsolHQ LTD, Name of Creating Application: ConsoleHQ, Template: ;1033, Comments: This installer database contains the logic and data required to install ConsoleHQ., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                      Category:dropped
                                      Size (bytes):2200576
                                      Entropy (8bit):6.507735592861096
                                      Encrypted:false
                                      SSDEEP:49152:kSVYVKjlgZcDgcYrAvq4Fb6HXr1iWnU84ntHurpllQ6aSHCP1N0ZqgJtmpxl:5Y4jluAjFnWnq1
                                      MD5:6705CCE3BC489F21E89914817299191E
                                      SHA1:0D406B2AA2FC69460088C244C944748491EA707E
                                      SHA-256:BA061426E33C6432E7FD96973A92A7D6754723CC28E5F4077362FA609F686A9F
                                      SHA-512:4093713E87458E2353F83CF8B3F8E8D5BA339D1CD2AA921ECFD636FCE591FBA8EE0164FF5B7AC18C11F7D09D3BC0EAF52AA64A47686A695FECD43965313F01B7
                                      Malicious:false
                                      Preview:......................>..................."...................................f...............................1...2...3...4...5...6...7...8...9...:...;...<...=...>...C...D...E...F...G...H...I...J...K...................................................................................................................................................................................................................................................................................................................................N...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C.......E...K...G...H...I...J.......L...M...O..._...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...`...*...a...b...c...d...e...........h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                      C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\2c6HNWVywp.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):209920
                                      Entropy (8bit):6.447659228395253
                                      Encrypted:false
                                      SSDEEP:3072:tScXkSa4E7uzTK+NbkuO2DcUC1myXxskH9Xq4fa2KbDI0lSmb9D:Q7sO+EZ9LH2j7Mmb9
                                      MD5:A5FFDCF45D3D123139C49017B22F444E
                                      SHA1:7B3D3D293F9A34570FC91500A6580496147C7658
                                      SHA-256:8F49245444B02BF0E103C5A5850A0B2FB1F2880C917261D146E3B8BC3C166E40
                                      SHA-512:5FF195A70825EFCED761ACEEEC5A6F0D0E18C1A4074482F584EFABEF7166C957C728D71D6185E3487A1405C608D820EFA4E07C584D60A8D51625E5D8A9A89397
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..a*..2*..2*..2..3 ..2..3...2x.3...2x.3:..2x.3?..2..3?..2..3-..2*..2...2..3v..2..3+..2..^2+..2*.62+..2..3+..2Rich*..2................PE..L...?..b.........."!.....`...................p............................................@......................... ...........<....p.. .......................0 ......p...........................`...@............p..t............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...dV..........................@....rsrc... ....p......................@..@.reloc..0 ......."..................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\holder0.aiph

                                      Download File
                                      Process:C:\Users\user\Desktop\2c6HNWVywp.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):162168468
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:2DBC0818CDB52345791955E058A40132
                                      SHA1:3CEC7455FB8C8F57FABA2B065BA7BEEBCECBA565
                                      SHA-256:896FBF58598F1376DC47013E0CCDF5422A54C28460F858ABD25B871DC02D5509
                                      SHA-512:8173DAE9455BD4D200E0C5D3A25014AA879FF3FC9A9001C02F91BB0F1EA10D226BFFD6C8E19BA2F7A37A646749E82C5A70CF62A7C461660A188343C8A19E77CB
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\50fd66.msi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {3D2F3062-A70B-445E-8CE0-4683179903E0}, Number of Words: 0, Subject: ConsoleHQ, Author: ConsolHQ LTD, Name of Creating Application: ConsoleHQ, Template: ;1033, Comments: This installer database contains the logic and data required to install ConsoleHQ., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                      Category:dropped
                                      Size (bytes):2200576
                                      Entropy (8bit):6.507735592861096
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:6705CCE3BC489F21E89914817299191E
                                      SHA1:0D406B2AA2FC69460088C244C944748491EA707E
                                      SHA-256:BA061426E33C6432E7FD96973A92A7D6754723CC28E5F4077362FA609F686A9F
                                      SHA-512:4093713E87458E2353F83CF8B3F8E8D5BA339D1CD2AA921ECFD636FCE591FBA8EE0164FF5B7AC18C11F7D09D3BC0EAF52AA64A47686A695FECD43965313F01B7
                                      Malicious:false
                                      Preview:......................>..................."...................................f...............................1...2...3...4...5...6...7...8...9...:...;...<...=...>...C...D...E...F...G...H...I...J...K...................................................................................................................................................................................................................................................................................................................................N...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C.......E...K...G...H...I...J.......L...M...O..._...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...`...*...a...b...c...d...e...........h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                      C:\Windows\Installer\MSIFE6F.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSIFECE.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSIFEFE.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSIFF2E.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:modified
                                      Size (bytes):919520
                                      Entropy (8bit):6.451407326378623
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:064278F42704CDCE52C8C527CF9AFBC7
                                      SHA1:007C2A1C946EB62886AC26ADFC7C6B41EECD4D41
                                      SHA-256:070155314AE1035E0A74729231EA97053744EC3B0D5E8D8AF0D000448924D5A9
                                      SHA-512:9D7AE27229317F07CFD051AB8A7E4E7AC4071593FB0329BFF21CFB812086CA00CFFEBBC950A4849C233D8B2EE3D306E9A3338415DEB48CEE09C5B94704A01A70
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...#S..#S..#S]. R..#S].&R;.#S.'R..#S. R..#S.&R..#S].'R..#S]."R..#S.."S..#S2.*R..#S2.#R..#S2..S..#S..S..#S2.!R..#SRich..#S........PE..L...P..b.........."!.....X...................p...............................@......{9....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):363829
                                      Entropy (8bit):5.365413746310935
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:7596C4598FA936608BEA83F976BFA088
                                      SHA1:10E9CD7F330A1DE98DF41FE0E95B15F456E45977
                                      SHA-256:448C266E6C691E9B9869F577B003EF04C68E2215EC5E4E3872AD743CCE7F5F81
                                      SHA-512:74F1E4C2DC0BED62089E2219A8BF08FB9A26B4CCE894C94C36DA266D57CD3B7020E6124A672CA122E26071A41F70ADAB9EA96A4227E0E36340556061F43CC35D
                                      Malicious:false
                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.9766416416233135
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:2c6HNWVywp.exe
                                      File size:49'189'312 bytes
                                      MD5:e121092ae5eef25b54cc9f8cf9401dbf
                                      SHA1:4dea659e2b2f67d0bfcba61fb3e41c2595d1a46b
                                      SHA256:1cea2e1892ef23d3a26c3c00ba38db8e54e6fa520681f8fa49d0d21350d86ffa
                                      SHA512:7bc231d4a4de2966491991fc108b380da31fa6836b42660cbac1a0c2355f8555f76aae50c52cd004c5fbfae84d0c93bfaf00f1538418dc8a20fba5395d0a3e5c
                                      SSDEEP:786432:aVGXG8/1TmEbPznMmlZa0aBrmoL1QKRGjFWCjXWjW0+hkE5KWVS:u8/1Zbra5Brn1XRGBW+GjohkQW
                                      TLSH:BBB72331364EC52BDA6615B02A3C9AAF10197FB50F6158C7B3CC2D6E1BB49C35632E27
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............{...{...{.3.x...{.3.~.X.{.3.}...{.......{...x...{...~...{.3.....{.3.z...{.3.|...{...z.8.{.\.r...{.\.....{.......{.\.y...{

                                      File Icon

                                      Icon Hash:9713331b4d3b2f0c

                                      Static PE Info

                                      General

                                      Entrypoint:0x596c64
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6213B2EE [Mon Feb 21 15:42:38 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:836688c7d21e39394af41ce9a8c2d728

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F6F98E9BEDDh
                                      jmp 00007F6F98E9B67Fh
                                      mov ecx, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], ecx
                                      pop ecx
                                      pop edi
                                      pop edi
                                      pop esi
                                      pop ebx
                                      mov esp, ebp
                                      pop ebp
                                      push ecx
                                      ret
                                      mov ecx, dword ptr [ebp-10h]
                                      xor ecx, ebp
                                      call 00007F6F98E9ACD3h
                                      jmp 00007F6F98E9B7E2h
                                      push eax
                                      push dword ptr fs:[00000000h]
                                      lea eax, dword ptr [esp+0Ch]
                                      sub esp, dword ptr [esp+0Ch]
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [eax], ebp
                                      mov ebp, eax
                                      mov eax, dword ptr [0069E01Ch]
                                      xor eax, ebp
                                      push eax
                                      push dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                      lea eax, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], eax
                                      ret
                                      push eax
                                      push dword ptr fs:[00000000h]
                                      lea eax, dword ptr [esp+0Ch]
                                      sub esp, dword ptr [esp+0Ch]
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [eax], ebp
                                      mov ebp, eax
                                      mov eax, dword ptr [0069E01Ch]
                                      xor eax, ebp
                                      push eax
                                      mov dword ptr [ebp-10h], eax
                                      push dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                      lea eax, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], eax
                                      ret
                                      push eax
                                      push dword ptr fs:[00000000h]
                                      lea eax, dword ptr [esp+0Ch]
                                      sub esp, dword ptr [esp+0Ch]
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [eax], ebp
                                      mov ebp, eax
                                      mov eax, dword ptr [0069E01Ch]
                                      xor eax, ebp
                                      push eax
                                      mov dword ptr [ebp-10h], esp
                                      push dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                      lea eax, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], eax

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x29cb940x28.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a70000x3d55c.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e50000x256bc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x2467780x70.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x2468000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x219f380x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x2180000x2c0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x299f880x260.rdata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x216c3f0x216e00b670db57563315716440578ee99e5466unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x2180000x85b8c0x85c0059a6fbcfc1f150b26bf16fdd47452e43False0.3120947721962617data4.605894063170113IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x29e0000x89f00x6a001cea180402edcf39ea7c6193312cce32False0.14180424528301888DOS executable (block device driver 0aY)2.8670521481443174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x2a70000x3d55c0x3d6009c215b5617dafedde9588bb2401248caFalse0.2635724287169043data5.856059532970926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x2e50000x256bc0x2580008f0f06260e93e98732bfb4145f07ccaFalse0.446171875data6.512576488264422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      IMAGE_FILE0x2a7bf00x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                      IMAGE_FILE0x2a7bf80x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                      RTF_FILE0x2a7c000x2e9Rich Text Format data, version 1, ANSI, code page 1252EnglishUnited States0.5503355704697986
                                      RTF_FILE0x2a7eec0xa1Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033EnglishUnited States0.906832298136646
                                      RT_BITMAP0x2a7f900x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                      RT_BITMAP0x2a80d00x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                      RT_BITMAP0x2a88f80x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                      RT_BITMAP0x2ad1a00xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                      RT_BITMAP0x2adc0c0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                      RT_BITMAP0x2add600x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                      RT_ICON0x2ae5880x7c5aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9958534899792675
                                      RT_ICON0x2b61e40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.142848692771797
                                      RT_ICON0x2c6a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.29470954356846474
                                      RT_ICON0x2c8fb40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.3621013133208255
                                      RT_ICON0x2ca05c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.45819672131147543
                                      RT_MENU0x2ca9e40x5cdataEnglishUnited States0.8478260869565217
                                      RT_MENU0x2caa400x2adataEnglishUnited States1.0714285714285714
                                      RT_DIALOG0x2caa6c0xacdataEnglishUnited States0.7151162790697675
                                      RT_DIALOG0x2cab180x2a6dataEnglishUnited States0.5132743362831859
                                      RT_DIALOG0x2cadc00x3b4dataEnglishUnited States0.43248945147679324
                                      RT_DIALOG0x2cb1740xbcdataEnglishUnited States0.7180851063829787
                                      RT_DIALOG0x2cb2300x204dataEnglishUnited States0.560077519379845
                                      RT_DIALOG0x2cb4340x282dataEnglishUnited States0.48598130841121495
                                      RT_DIALOG0x2cb6b80xccdataEnglishUnited States0.6911764705882353
                                      RT_DIALOG0x2cb7840x146dataEnglishUnited States0.5736196319018405
                                      RT_DIALOG0x2cb8cc0x226dataEnglishUnited States0.4690909090909091
                                      RT_DIALOG0x2cbaf40x388dataEnglishUnited States0.45464601769911506
                                      RT_DIALOG0x2cbe7c0x1b4dataEnglishUnited States0.5458715596330275
                                      RT_DIALOG0x2cc0300x136dataEnglishUnited States0.6064516129032258
                                      RT_DIALOG0x2cc1680x4cdataEnglishUnited States0.8289473684210527
                                      RT_STRING0x2cc1b40x45cdataEnglishUnited States0.3844086021505376
                                      RT_STRING0x2cc6100x344dataEnglishUnited States0.37320574162679426
                                      RT_STRING0x2cc9540x2f8dataEnglishUnited States0.4039473684210526
                                      RT_STRING0x2ccc4c0x598dataEnglishUnited States0.2807262569832402
                                      RT_STRING0x2cd1e40x3aaStarOffice Gallery theme i, 1627418368 objects, 1st nEnglishUnited States0.4211087420042644
                                      RT_STRING0x2cd5900x5c0dataEnglishUnited States0.3498641304347826
                                      RT_STRING0x2cdb500x568dataEnglishUnited States0.32875722543352603
                                      RT_STRING0x2ce0b80x164dataEnglishUnited States0.5421348314606742
                                      RT_STRING0x2ce21c0x520dataEnglishUnited States0.39176829268292684
                                      RT_STRING0x2ce73c0x1a0dataEnglishUnited States0.45913461538461536
                                      RT_STRING0x2ce8dc0x18adataEnglishUnited States0.5228426395939086
                                      RT_STRING0x2cea680x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                      RT_STRING0x2cec800x624dataEnglishUnited States0.3575063613231552
                                      RT_STRING0x2cf2a40x660dataEnglishUnited States0.3474264705882353
                                      RT_STRING0x2cf9040x2e2dataEnglishUnited States0.4037940379403794
                                      RT_GROUP_ICON0x2cfbe80x4cdataEnglishUnited States0.7763157894736842
                                      RT_VERSION0x2cfc340x2dcdataEnglishUnited States0.453551912568306
                                      RT_HTML0x2cff100x37c8ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08291316526610644
                                      RT_HTML0x2d36d80x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                      RT_HTML0x2d49f00x4faHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3626373626373626
                                      RT_HTML0x2d4eec0x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                      RT_HTML0x2db9bc0x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                      RT_HTML0x2dc0600x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                      RT_HTML0x2dd0ac0x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                      RT_HTML0x2de6600x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                      RT_HTML0x2e06bc0x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                      RT_MANIFEST0x2e3d4c0x80fXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.40814348036839554

                                      Imports

                                      DLLImport
                                      KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, CreateThread, WaitForSingleObject, GetProcAddress, LoadLibraryExW, Sleep, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FormatMessageW, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      No network behavior found

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:5
                                      Start time:04:12:05
                                      Start date:13/11/2024
                                      Path:C:\Users\user\Desktop\2c6HNWVywp.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\2c6HNWVywp.exe"
                                      Imagebase:0x2a0000
                                      File size:49'189'312 bytes
                                      MD5 hash:E121092AE5EEF25B54CC9F8CF9401DBF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:04:12:10
                                      Start date:13/11/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                      Imagebase:0x7ff66c080000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:8
                                      Start time:04:12:11
                                      Start date:13/11/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding C17C6E88C2AC26D77232308596BFC404 C
                                      Imagebase:0xd00000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:04:12:11
                                      Start date:13/11/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\2c6HNWVywp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488998 " AI_EUIMSI=""
                                      Imagebase:0xd00000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:04:12:11
                                      Start date:13/11/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 48383DF6A2E73543A85DB9345F606A15
                                      Imagebase:0xd00000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:25%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:87
                                        execution_graph 66960 304bf0 66965 3bcfa0 GetLastError 66960->66965 66961 304c67 66962 304c9e 66961->66962 66963 304cb8 SetWindowLongW 66961->66963 66963->66962 66966 3bcfaa 66965->66966 66979 2a9b10 66966->66979 66968 3bcfb8 66969 3bcfde 66968->66969 66970 3bd016 66968->66970 66976 3bd01d 66968->66976 66983 3a0f40 66969->66983 66973 3bd054 DestroyWindow 66970->66973 66970->66976 66972 3bcfed 66988 3bd210 6 API calls 66972->66988 66973->66961 66976->66961 66980 2a9b1d 66979->66980 67007 437f9e 66980->67007 66982 2a9b2a RtlAllocateHeap 66982->66968 67010 3a2350 LoadLibraryW 66983->67010 66986 3a2350 3 API calls 66987 3a0f70 SendMessageW SendMessageW 66986->66987 66987->66972 66989 3bd2a2 SetWindowPos 66988->66989 67015 43615a 66989->67015 66992 3bcff7 66993 3059b0 GetWindowLongW 66992->66993 66994 305a06 GetParent GetWindowRect GetParent 66993->66994 66995 305a4f GetWindow GetWindowRect 66993->66995 67005 305a31 SetWindowPos 66994->67005 66996 305a7f MonitorFromWindow 66995->66996 66997 305a6a GetWindowLongW 66995->66997 66999 305a93 GetMonitorInfoW 66996->66999 67000 305b55 66996->67000 66997->66996 66999->67000 67001 305aad 66999->67001 67003 43615a _ValidateLocalCookies 5 API calls 67000->67003 67002 305ac4 GetWindowRect 67001->67002 67001->67005 67002->67005 67004 305b6e 67003->67004 67004->66961 67005->67000 67008 437fe5 RaiseException 67007->67008 67009 437fb8 67007->67009 67008->66982 67009->67008 67011 3a23ab GetProcAddress 67010->67011 67012 3a23bb 67010->67012 67011->67012 67013 3a242e FreeLibrary 67012->67013 67014 3a0f5e 67012->67014 67013->67014 67014->66986 67016 436163 IsProcessorFeaturePresent 67015->67016 67017 436162 67015->67017 67019 436775 67016->67019 67017->66992 67022 436738 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 67019->67022 67021 436858 67021->66992 67022->67021 67023 44d987 GetLastError 67024 44d99d 67023->67024 67027 44d9a3 67023->67027 67035 4500ae TlsGetValue 67024->67035 67028 44da14 67027->67028 67029 44d9dc 67027->67029 67033 44d9a7 SetLastError 67027->67033 67042 44d664 6 API calls __Getctype 67028->67042 67036 44dbdd 67029->67036 67032 44da1f 67034 44dbdd ___free_lconv_mon 4 API calls 67032->67034 67034->67033 67035->67027 67037 44dc12 67036->67037 67038 44dbe8 RtlFreeHeap 67036->67038 67037->67033 67038->67037 67039 44dbfd GetLastError 67038->67039 67040 44dc0a ___free_lconv_mon 67039->67040 67043 43b02f 6 API calls __set_se_translator 67040->67043 67042->67032 67043->67037 67044 361fb0 GetSystemDirectoryW 67045 3620bb 67044->67045 67046 361fff 67044->67046 67047 43615a _ValidateLocalCookies 5 API calls 67045->67047 67046->67045 67069 2a9e50 67046->67069 67049 36210b 67047->67049 67051 362113 67053 2a9b10 2 API calls 67051->67053 67052 362019 67056 362035 67052->67056 67057 362043 67052->67057 67054 36211d 67053->67054 67189 436199 67054->67189 67187 2a9390 46 API calls 67056->67187 67188 2a99c0 38 API calls 3 library calls 67057->67188 67061 362041 67084 2ba950 67061->67084 67062 3622ba 67065 362082 67066 2ba950 110 API calls 67065->67066 67067 3620a9 _wcschr 67066->67067 67067->67045 67068 3620bf LoadLibraryExW 67067->67068 67068->67045 67070 2a9e88 67069->67070 67082 2a9edc 67069->67082 67197 436662 EnterCriticalSection 67070->67197 67072 436662 4 API calls 67074 2a9ef6 67072->67074 67083 2a9f67 67074->67083 67203 43651a 37 API calls 67074->67203 67075 2a9e9e GetProcessHeap 67201 43651a 37 API calls 67075->67201 67078 2a9ecb 67202 436618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 67078->67202 67079 2a9f56 67204 436618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 67079->67204 67082->67072 67082->67083 67083->67051 67083->67052 67085 2ba9cd 67084->67085 67087 2ba972 std::_Locinfo::_Locinfo_dtor 67084->67087 67086 2a9b10 2 API calls 67085->67086 67097 2ba9d7 67085->67097 67088 2ba9f4 67086->67088 67087->67085 67089 2ba9b0 67087->67089 67223 2a98a0 38 API calls 67087->67223 67090 2baa75 67088->67090 67092 2baa5e FindClose 67088->67092 67224 2a9910 37 API calls 4 library calls 67089->67224 67206 2a9710 67090->67206 67092->67090 67097->67065 67099 2baddb 67099->67065 67100 2baac2 PathIsUNCW 67103 2bac0e 67100->67103 67104 2baad7 67100->67104 67101 2bad05 FindFirstFileW 67101->67099 67102 2bad1d GetFullPathNameW 67101->67102 67106 2bad36 67102->67106 67147 2bae72 std::_Locinfo::_Locinfo_dtor 67102->67147 67107 2ae820 94 API calls 67103->67107 67225 2ae820 67104->67225 67109 2bad53 GetFullPathNameW 67106->67109 67250 2a98a0 38 API calls 67106->67250 67127 2bac16 67107->67127 67108 2a9b10 2 API calls 67110 2baeed 67108->67110 67113 2bad6e std::_Locinfo::_Locinfo_dtor 67109->67113 67255 2a9650 67110->67255 67112 2bad51 67112->67109 67115 2bae15 67113->67115 67124 2bada5 67113->67124 67113->67147 67133 2bae27 67115->67133 67251 2a97c0 38 API calls 67115->67251 67116 2baf2d 67118 2baf41 67116->67118 67130 2baf90 67116->67130 67117 2baadf 67117->67101 67235 2aead0 94 API calls 67117->67235 67120 2a9650 38 API calls 67118->67120 67128 2baf4b 67120->67128 67122 2bb23e 67125 2a9b10 2 API calls 67122->67125 67123 2badd3 SetLastError 67123->67099 67124->67123 67134 2badca FindClose 67124->67134 67151 2bb25f 67125->67151 67126 2bacab 67248 2bb3a0 37 API calls 3 library calls 67126->67248 67127->67101 67127->67126 67127->67147 67247 2a98a0 38 API calls 67127->67247 67128->67065 67129 2bab5e 67236 2bb330 67129->67236 67130->67122 67131 2bafc1 67130->67131 67266 2bb4c0 38 API calls 67130->67266 67267 2bb410 47 API calls 67131->67267 67132 2bae48 67145 2bae5c 67132->67145 67146 2bae76 67132->67146 67133->67132 67252 2a97c0 38 API calls 67133->67252 67134->67123 67140 2babfd 67249 2b68f0 37 API calls 4 library calls 67140->67249 67142 2bafcc 67144 2ba950 102 API calls 67142->67144 67150 2bafde 67144->67150 67145->67099 67145->67147 67253 2a97c0 38 API calls 67145->67253 67146->67147 67254 2a97c0 38 API calls 67146->67254 67147->67099 67147->67108 67148 2babd9 67246 2bb3a0 37 API calls 3 library calls 67148->67246 67149 2bab71 67149->67147 67149->67148 67245 2a98a0 38 API calls 67149->67245 67157 2bb00d PathIsUNCW 67150->67157 67186 2bb21a 67150->67186 67154 2bb2fb 67151->67154 67155 2bb2c3 67151->67155 67172 2bb30c 67151->67172 67274 2a98a0 38 API calls 67151->67274 67158 2a9b10 2 API calls 67154->67158 67154->67172 67275 2bb3a0 37 API calls 3 library calls 67155->67275 67161 2bb149 67157->67161 67162 2bb022 67157->67162 67166 2bb32b 67158->67166 67160 2a9650 38 API calls 67160->67122 67168 2ae820 94 API calls 67161->67168 67169 2ae820 94 API calls 67162->67169 67165 2bace1 67165->67101 67165->67147 67167 2bb2ec 67276 2b68f0 37 API calls 4 library calls 67167->67276 67173 2bb151 67168->67173 67171 2bb02a 67169->67171 67171->67186 67268 2aead0 94 API calls 67171->67268 67172->67065 67173->67122 67175 2bb1e4 67173->67175 67173->67186 67271 2a98a0 38 API calls 67173->67271 67272 2bb3a0 37 API calls 3 library calls 67175->67272 67176 2bb0a0 67179 2bb330 38 API calls 67176->67179 67182 2bb0b3 67179->67182 67180 2bb138 67273 2b68f0 37 API calls 4 library calls 67180->67273 67182->67122 67183 2bb117 67182->67183 67269 2a98a0 38 API calls 67182->67269 67270 2bb3a0 37 API calls 3 library calls 67183->67270 67186->67122 67186->67160 67187->67061 67188->67061 67190 43619e std::_Facet_Register 67189->67190 67191 362272 67190->67191 67193 4361ba std::_Facet_Register 67190->67193 67283 44c243 EnterCriticalSection std::_Facet_Register 67190->67283 67196 2b78a0 37 API calls 2 library calls 67191->67196 67194 437f9e Concurrency::cancel_current_task RaiseException 67193->67194 67195 436ec8 67194->67195 67196->67062 67199 436676 67197->67199 67200 2a9e92 67199->67200 67205 4366ea SleepConditionVariableCS WaitForSingleObjectEx EnterCriticalSection 67199->67205 67200->67075 67200->67082 67201->67078 67202->67082 67203->67079 67204->67083 67205->67199 67207 2a9752 67206->67207 67208 2a9743 67206->67208 67211 2b6990 67207->67211 67208->67207 67209 2a9b10 2 API calls 67208->67209 67210 2a97ac 67209->67210 67212 2a9e50 46 API calls 67211->67212 67213 2b69bf 67212->67213 67214 2b6a2f 67213->67214 67215 2b69c5 67213->67215 67216 2a9b10 2 API calls 67214->67216 67218 2b69f2 67215->67218 67219 2b69e5 67215->67219 67217 2b6a39 67216->67217 67278 2a99c0 38 API calls 3 library calls 67218->67278 67277 2a9390 46 API calls 67219->67277 67222 2b69f0 67222->67099 67222->67100 67222->67101 67223->67089 67224->67085 67226 2ae862 67225->67226 67228 2ae892 67225->67228 67227 2a9650 38 API calls 67226->67227 67231 2ae867 67227->67231 67230 2a9e50 46 API calls 67228->67230 67232 2ae8a6 67228->67232 67230->67232 67231->67117 67279 2aebe0 85 API calls 4 library calls 67232->67279 67234 2ae8b9 67234->67117 67235->67129 67237 2bb393 67236->67237 67238 2bb346 67236->67238 67237->67149 67239 2bb380 67238->67239 67240 2bb356 67238->67240 67280 2a99c0 38 API calls 3 library calls 67239->67280 67242 2a9650 38 API calls 67240->67242 67244 2bb35c 67242->67244 67243 2bb38b 67243->67149 67244->67149 67245->67148 67246->67140 67247->67126 67248->67140 67249->67165 67250->67112 67251->67133 67252->67132 67253->67147 67254->67147 67256 2a965b 67255->67256 67257 2a966a 67256->67257 67258 2a96a2 67256->67258 67259 2a9683 67256->67259 67257->67116 67282 2a9850 38 API calls 67258->67282 67281 2a9910 37 API calls 4 library calls 67259->67281 67262 2a969a 67262->67116 67263 2a96a7 67264 2a9650 38 API calls 67263->67264 67265 2a96e6 67264->67265 67265->67116 67266->67131 67267->67142 67268->67176 67269->67183 67270->67180 67271->67175 67272->67180 67273->67186 67274->67155 67275->67167 67276->67154 67277->67222 67278->67222 67279->67234 67280->67243 67281->67262 67282->67263 67283->67190 67284 39ec30 67312 2a6540 67284->67312 67286 39ecaa 67317 39f140 67286->67317 67289 39ecf3 67332 2a77d0 67289->67332 67290 2a77d0 37 API calls 67290->67289 67292 39ed2c 67293 39edf0 67292->67293 67294 39ed49 67292->67294 67295 39ed65 67292->67295 67336 36d900 67293->67336 67347 2a6b00 37 API calls 67294->67347 67298 2a6540 37 API calls 67295->67298 67300 39ed58 67298->67300 67299 39ee1c 67301 43615a _ValidateLocalCookies 5 API calls 67299->67301 67348 2a8e50 67300->67348 67302 39ee3c 67301->67302 67306 39edac 67307 2a77d0 37 API calls 67306->67307 67308 39edb8 67307->67308 67309 39edd4 67308->67309 67310 2a77d0 37 API calls 67308->67310 67309->67293 67311 2a77d0 37 API calls 67309->67311 67310->67309 67311->67293 67313 2a6567 67312->67313 67314 2a656e 67313->67314 67367 2a7650 67313->67367 67314->67286 67316 2a65a0 std::locale::_Locimp::_Locimp 67316->67286 67318 39f1a8 67317->67318 67319 39f193 67317->67319 67320 39f1b0 67318->67320 67321 39f1c5 67318->67321 67384 2a7070 67319->67384 67323 2a7070 37 API calls 67320->67323 67324 39f1cd 67321->67324 67325 39f1e2 67321->67325 67331 39ece0 67323->67331 67326 2a7070 37 API calls 67324->67326 67327 39f1ea 67325->67327 67328 39f1ff 67325->67328 67326->67331 67329 2a7070 37 API calls 67327->67329 67330 2a7070 37 API calls 67328->67330 67328->67331 67329->67331 67330->67331 67331->67289 67331->67290 67333 2a77fd 67332->67333 67334 2a781e std::ios_base::_Ios_base_dtor 67332->67334 67333->67292 67333->67332 67333->67334 67398 43af1f 37 API calls 2 library calls 67333->67398 67334->67292 67337 36d998 RegOpenKeyExW 67336->67337 67338 36d939 67336->67338 67341 36d991 67337->67341 67339 36d93e GetModuleHandleW 67338->67339 67340 36d98b 67338->67340 67342 36d966 GetProcAddress 67339->67342 67343 36d94d 67339->67343 67340->67337 67340->67341 67344 36d9b7 RegCloseKey 67341->67344 67345 36d9c0 67341->67345 67342->67341 67346 36d976 67342->67346 67343->67299 67344->67345 67345->67299 67346->67341 67347->67300 67349 2a8e90 67348->67349 67349->67349 67350 2a8ee9 67349->67350 67351 2a8eb0 67349->67351 67403 2a7060 37 API calls 2 library calls 67350->67403 67399 2a6de0 67351->67399 67354 2a8eee 67355 2a8ec7 67356 2a6e80 67355->67356 67357 2a6ee0 67356->67357 67361 2a6e9f std::locale::_Locimp::_Locimp 67356->67361 67358 2a6ef1 67357->67358 67359 2a6fe5 67357->67359 67362 2a7650 37 API calls 67358->67362 67404 2a7060 37 API calls 2 library calls 67359->67404 67361->67306 67365 2a6f28 std::locale::_Locimp::_Locimp 67362->67365 67366 2a6f98 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 67365->67366 67405 43af1f 37 API calls 2 library calls 67365->67405 67366->67306 67368 2a769b 67367->67368 67369 2a765b 67367->67369 67382 2a7630 37 API calls 2 library calls 67368->67382 67371 2a7686 67369->67371 67372 2a7664 67369->67372 67373 2a7696 67371->67373 67376 436199 std::_Facet_Register 2 API calls 67371->67376 67372->67368 67375 2a766b 67372->67375 67373->67316 67374 2a7671 67381 2a767a 67374->67381 67383 43af1f 37 API calls 2 library calls 67374->67383 67378 436199 std::_Facet_Register 2 API calls 67375->67378 67379 2a7690 67376->67379 67378->67374 67379->67316 67381->67316 67382->67374 67387 2a7081 std::locale::_Locimp::_Locimp 67384->67387 67388 2a70bd 67384->67388 67385 2a7171 67397 2a7060 37 API calls 2 library calls 67385->67397 67387->67331 67388->67385 67390 2a7650 37 API calls 67388->67390 67389 2a7176 67391 2a7070 37 API calls 67389->67391 67393 2a7106 std::locale::_Locimp::_Locimp 67390->67393 67392 2a71d4 67391->67392 67392->67331 67394 2a7155 std::ios_base::_Ios_base_dtor 67393->67394 67396 43af1f 37 API calls 2 library calls 67393->67396 67394->67331 67397->67389 67400 2a6e0f 67399->67400 67402 2a6e36 std::locale::_Locimp::_Locimp 67399->67402 67401 2a7650 37 API calls 67400->67401 67401->67402 67402->67355 67403->67354 67404->67365 67406 2a9d20 67407 2a9d64 67406->67407 67408 2a9d2c 67406->67408 67408->67407 67409 2a9b10 2 API calls 67408->67409 67409->67407 67410 3b7d70 67712 3dba80 67410->67712 67412 3b7da0 67413 2a9e50 46 API calls 67412->67413 67414 3b7dac 67413->67414 67415 3b80c3 67414->67415 67418 3b7ddf 67414->67418 67419 3b7dd4 67414->67419 67416 2a9b10 2 API calls 67415->67416 67417 3b80cd 67416->67417 67420 3b8163 67417->67420 67422 2a9e50 46 API calls 67417->67422 68008 2a99c0 38 API calls 3 library calls 67418->68008 68007 2a9390 46 API calls 67419->68007 67425 3b8104 67422->67425 67424 3b7ddd 67718 3a8fc0 67424->67718 67426 3b810a 67425->67426 67427 3b8176 67425->67427 67434 2ba950 110 API calls 67426->67434 67429 2a9b10 2 API calls 67427->67429 67431 3b8180 67429->67431 67430 3b7e13 67432 2a9e50 46 API calls 67430->67432 67783 3ccf70 67431->67783 67435 3b7e1b 67432->67435 67437 3b812b 67434->67437 67435->67415 67725 38bc00 67435->67725 68026 3c47e0 121 API calls 67437->68026 67439 3b8598 67444 3b865d 67439->67444 67450 2a9e50 46 API calls 67439->67450 67440 2b6990 55 API calls 67443 3b81f2 67440->67443 67441 3b8136 68027 3d74c0 231 API calls 67441->68027 68028 3c3e40 67443->68028 67809 3c3470 67444->67809 67446 3b8141 67446->67420 67454 3b85ad 67450->67454 67451 3b7e4d 67738 3adab0 67451->67738 67452 3b83ac 67458 2a9e50 46 API calls 67452->67458 67453 3b8669 67460 43615a _ValidateLocalCookies 5 API calls 67453->67460 67455 3b86ac 67454->67455 67456 3b85b7 67454->67456 67462 2a9b10 2 API calls 67455->67462 67471 2ba950 110 API calls 67456->67471 67463 3b83ba 67458->67463 67465 3b8686 67460->67465 67466 3b86b6 67462->67466 67467 3b868e 67463->67467 67468 3b83c4 67463->67468 67470 3b86fa 67466->67470 67474 2a9e50 46 API calls 67466->67474 67473 2a9b10 2 API calls 67467->67473 67480 38bc00 11 API calls 67468->67480 67475 3b85d8 67471->67475 67477 3b8698 67473->67477 67478 3b8748 67474->67478 67788 3c4050 67475->67788 67481 2a9b10 2 API calls 67477->67481 67483 3b8946 67478->67483 67500 3b877b 67478->67500 67501 3b8770 67478->67501 67485 3b83dc 67480->67485 67486 3b86a2 67481->67486 67490 2a9b10 2 API calls 67483->67490 67484 3b85e7 67489 3b860f 67484->67489 67502 3b8601 67484->67502 67491 3b83e9 67485->67491 68044 38c5a0 38 API calls 4 library calls 67485->68044 67492 2a9b10 2 API calls 67486->67492 67488 3b8357 67488->67439 67488->67453 68043 3bc6b0 42 API calls 67488->68043 68051 3d74c0 231 API calls 67489->68051 67497 3b8950 67490->67497 67538 3b83fd 67491->67538 68045 43f5b6 67491->68045 67492->67455 67495 3b8211 67495->67488 68042 3c3a00 39 API calls 67495->68042 67841 2b2970 RaiseException 67497->67841 68053 2a99c0 38 API calls 3 library calls 67500->68053 68052 2a9390 46 API calls 67501->68052 67506 2ba950 110 API calls 67502->67506 67503 3b8620 67503->67444 67506->67489 67508 3b895c 67842 3ba780 384 API calls 2 library calls 67508->67842 67510 3b7e7f 67514 3b7f1d 67510->67514 67515 3b7f72 SetEvent 67510->67515 67511 3b8779 68054 3a1c00 95 API calls 67511->68054 67512 3b8991 67517 2a9e50 46 API calls 67512->67517 67513 3b84dd 67513->67439 67530 3b8506 67513->67530 68010 3c2ab0 67514->68010 67770 3dc100 67515->67770 67619 3b89a2 67517->67619 67519 2a9e50 46 API calls 67523 3b847e 67519->67523 67523->67477 67528 3b8488 67523->67528 67525 3b7fd7 67531 3b8028 67525->67531 67537 3c2ab0 10 API calls 67525->67537 67526 3b8bee 67535 2a9b10 2 API calls 67526->67535 67546 2ba950 110 API calls 67528->67546 67529 2a9e50 46 API calls 67534 3b7f2a 67529->67534 68050 3c3a00 39 API calls 67530->68050 67610 3b805c 67531->67610 68024 3dc020 115 API calls 67531->68024 67534->67415 67540 3b7f32 67534->67540 67541 3b8bf8 67535->67541 67544 3b7fe7 67537->67544 67538->67513 67538->67519 67539 3b8082 68025 3dbc20 CloseHandle 67539->68025 67563 3c4730 87 API calls 67540->67563 67843 3cc7e0 56 API calls _ValidateLocalCookies 67541->67843 67542 38c9e0 6 API calls 67549 3b8923 67542->67549 67550 2a9e50 46 API calls 67544->67550 67545 3b8a5a 67559 2a9e50 46 API calls 67545->67559 67552 3b84a6 67546->67552 67556 38c9e0 6 API calls 67549->67556 67558 3b7fec 67550->67558 68048 3c47e0 121 API calls 67552->68048 67555 3b8c41 67564 2a9e50 46 API calls 67555->67564 67565 3b8932 67556->67565 67558->67415 67567 3b7ff4 67558->67567 67586 3b8a62 67559->67586 67562 3b80ad 67571 3b7f54 67563->67571 67572 3b8c4d 67564->67572 67578 3be580 307 API calls 67567->67578 67568 2a9e50 46 API calls 67618 3b8799 67568->67618 67570 3b84af 68049 3d74c0 231 API calls 67570->68049 67576 3be580 307 API calls 67571->67576 67577 3b91e9 67572->67577 67844 3ba780 384 API calls 2 library calls 67572->67844 67582 3b7f61 SetEvent 67576->67582 67579 2a9b10 2 API calls 67577->67579 67584 3b8017 67578->67584 67587 3b91f3 67579->67587 67580 3b84ba 67580->67513 67582->67539 68023 3dbdb0 115 API calls std::_Locinfo::_Locinfo_dtor 67584->68023 67585 3b8a8c 67593 3b8aa3 67585->67593 68066 2a97c0 38 API calls 67585->68066 67586->67526 67586->67585 68065 2a97c0 38 API calls 67586->68065 68079 2b2970 RaiseException 67587->68079 68067 3cc7e0 56 API calls _ValidateLocalCookies 67593->68067 67600 3b91ff 67602 3b8c71 67845 2a8e30 67602->67845 67604 3b8ab3 67611 2a8e30 66 API calls 67604->67611 67607 2bb4c0 38 API calls 67607->67619 67610->67531 67614 3b8ac4 67611->67614 67621 2a9e50 46 API calls 67614->67621 67618->67483 67618->67497 67618->67568 67633 3b8896 67618->67633 67654 3b8907 67618->67654 68055 38c9e0 67618->68055 68059 2a9390 46 API calls 67618->68059 68060 2a99c0 38 API calls 3 library calls 67618->68060 68061 3a1c00 95 API calls 67618->68061 68062 3bc790 39 API calls 67618->68062 67619->67526 67619->67545 67619->67607 67622 2ba950 110 API calls 67619->67622 68064 3cc7e0 56 API calls _ValidateLocalCookies 67619->68064 67620 3b8cb1 68071 3bdb70 96 API calls 2 library calls 67620->68071 67624 3b8aea 67621->67624 67622->67619 67624->67526 67626 3b8af2 67624->67626 67625 3b8cb9 67628 2a9e50 46 API calls 67625->67628 67630 3b8b17 67626->67630 68068 2a97c0 38 API calls 67626->68068 67629 3b8cc2 67628->67629 67629->67577 67637 3b8ce8 67629->67637 67638 3b8cf6 67629->67638 68069 3cc7e0 56 API calls _ValidateLocalCookies 67630->68069 67634 2a9e50 46 API calls 67633->67634 67636 3b889e 67634->67636 67635 3b8b27 67639 2a8e30 66 API calls 67635->67639 67636->67483 67640 3b88a6 67636->67640 68072 3bdb70 96 API calls 2 library calls 67637->68072 67642 3b8cf3 67638->67642 67848 3be0a0 67638->67848 67649 3b8b37 67639->67649 67645 38bc00 11 API calls 67640->67645 67642->67638 67644 3b8d26 67646 2a9e50 46 API calls 67644->67646 67647 3b88c0 67645->67647 67648 3b8d2b 67646->67648 67651 3b88cd 67647->67651 68063 38ba20 40 API calls 67647->68063 67648->67577 67652 3ccf70 RaiseException 67648->67652 67651->67497 67651->67654 67653 3b8d53 67652->67653 67655 3b8d57 67653->67655 67656 3b8d66 67653->67656 67654->67542 67657 2bb330 38 API calls 67655->67657 67658 2a9e50 46 API calls 67656->67658 67657->67656 67659 3b8d6b 67658->67659 67659->67577 67880 3c4730 67659->67880 67663 3b8da7 67664 2a9e50 46 API calls 67663->67664 67665 3b8db9 67664->67665 67665->67577 67666 2b6990 55 API calls 67665->67666 67713 2a9e50 46 API calls 67712->67713 67714 3dbabc 67713->67714 67715 2a9b10 2 API calls 67714->67715 67717 3dbac2 67714->67717 67716 3dbb18 67715->67716 67717->67412 67719 3a8fce 67718->67719 67720 3a9029 67719->67720 67721 3a8fe8 WideCharToMultiByte 67719->67721 67720->67430 67722 3a9004 67721->67722 67723 3a9025 67721->67723 67724 3a900a WideCharToMultiByte 67722->67724 67723->67430 67724->67723 67726 38bcbc 67725->67726 67727 38bc14 67725->67727 67726->67451 68009 38c5a0 38 API calls 4 library calls 67726->68009 67727->67726 68080 2a9190 7 API calls 67727->68080 67729 38bc29 67729->67726 67730 38bc33 FindResourceW 67729->67730 67730->67726 67731 38bc47 67730->67731 68081 2a9250 LoadResource LockResource SizeofResource 67731->68081 67733 38bc51 67733->67726 67734 38bc5a WideCharToMultiByte 67733->67734 67734->67726 67735 38bcc7 67734->67735 67736 2a9b10 2 API calls 67735->67736 67737 38bcd1 67736->67737 67739 2a9e50 46 API calls 67738->67739 67740 3adade 67739->67740 67741 3adb33 67740->67741 67742 3adae4 67740->67742 67743 2a9b10 2 API calls 67741->67743 67745 3adb10 67742->67745 67747 3adb03 67742->67747 67744 3adb3d 67743->67744 68083 3a5170 42 API calls 67745->68083 68082 2a9390 46 API calls 67747->68082 67748 3adb0e 67750 39fde0 67748->67750 67752 39fe25 67750->67752 67751 2a9e50 46 API calls 67753 39fe35 67751->67753 67752->67751 67754 39fe42 67752->67754 67753->67754 67755 39fe85 67753->67755 68084 389730 67754->68084 67757 2a9b10 2 API calls 67755->67757 67758 39fe8f 67757->67758 67759 39fe6f 67760 3dbb20 67759->67760 67761 3dbb4c 67760->67761 67762 3dbb61 67760->67762 67761->67510 67763 2bb330 38 API calls 67762->67763 67764 3dbb72 67763->67764 68098 3dc490 67764->68098 67766 3dbb7d 67767 3dbbb8 CreateFileW 67766->67767 67768 3dbb8b CreateNamedPipeW 67766->67768 67769 3dbbd3 67767->67769 67768->67767 67768->67769 67769->67510 67771 3dc146 67770->67771 67772 3dc130 67770->67772 67773 2a9e50 46 API calls 67771->67773 67772->67525 67774 3dc14b 67773->67774 67775 3dc155 67774->67775 67776 3dc232 67774->67776 68117 3dc240 67775->68117 67777 2a9b10 2 API calls 67776->67777 67778 3dc23c 67777->67778 67780 3dc177 67781 2bb330 38 API calls 67780->67781 67782 3dc184 67781->67782 67782->67525 67784 3ccf7d 67783->67784 67787 3b81d8 67783->67787 67784->67787 68169 2b2970 RaiseException 67784->68169 67786 3ccfb2 67787->67440 67787->67488 67789 2a9e50 46 API calls 67788->67789 67790 3c4092 67789->67790 67791 3c409c GetLocaleInfoW 67790->67791 67792 3c414b 67790->67792 68170 385030 67791->68170 67793 2a9b10 2 API calls 67792->67793 67794 3c4155 MsgWaitForMultipleObjectsEx 67793->67794 67796 3c4187 67794->67796 67797 3c41f1 67794->67797 67799 3c41fb 67796->67799 67800 3c41a5 PeekMessageW 67796->67800 67797->67484 67799->67484 67803 3c41cd TranslateMessage DispatchMessageW 67800->67803 67804 3c41db MsgWaitForMultipleObjectsEx 67800->67804 67801 3c40d8 67802 3c40f6 GetLocaleInfoW 67801->67802 68195 2a97c0 38 API calls 67801->68195 67806 2a8e30 66 API calls 67802->67806 67803->67804 67804->67796 67804->67797 67808 3c4112 67806->67808 67807 3c40f3 67807->67802 67808->67484 67810 3c3e40 39 API calls 67809->67810 67811 3c34a7 67810->67811 67812 3c34ad 67811->67812 67813 3c34c3 67811->67813 67812->67453 68200 3c3a60 239 API calls 67813->68200 67815 3c34ce 68201 3c3c80 11 API calls _ValidateLocalCookies 67815->68201 67817 3c34e9 67818 3c3567 67817->67818 67819 2a9e50 46 API calls 67817->67819 67820 3c35ae 67818->67820 67821 3c3650 67818->67821 67823 3c34fe 67819->67823 67824 3c35c1 67820->67824 68203 3c3660 48 API calls 67820->68203 68205 2b2970 RaiseException 67821->68205 67826 3c3508 67823->67826 67827 3c3646 67823->67827 67832 3c35ea 67824->67832 68204 3c3660 48 API calls 67824->68204 67825 3c365c 67831 2ba950 110 API calls 67826->67831 67829 2a9b10 2 API calls 67827->67829 67829->67821 67834 3c3526 67831->67834 67833 3c3600 67832->67833 67835 43f5b6 ___vcrt_freefls@4 6 API calls 67832->67835 67833->67453 67836 3c4050 73 API calls 67834->67836 67835->67833 67839 3c3530 67836->67839 67837 3c3559 68202 3d74c0 231 API calls 67837->68202 67839->67837 67840 2ba950 110 API calls 67839->67840 67840->67837 67841->67508 67842->67512 67843->67555 67844->67602 68206 2a9510 67845->68206 67850 3be0d7 67848->67850 67852 3be0f8 67848->67852 67849 3be2ae 67853 2a9b10 2 API calls 67849->67853 67850->67849 67850->67852 68294 2bb4c0 38 API calls 67850->68294 67851 3be126 CreateFileW 67854 3be14f 67851->67854 67852->67849 67852->67851 67858 3be118 67852->67858 67857 3be2b8 67853->67857 67855 3be1f7 67854->67855 67856 3be176 GetLastError 67854->67856 68281 3df2f0 67855->68281 68296 3a2230 68 API calls 67856->68296 67858->67851 68295 2bb4c0 38 API calls 67858->68295 67862 3be18d 68297 3a44f0 94 API calls 67862->68297 67864 3be200 67866 3be20a 67864->67866 67867 3be28e 67864->67867 67868 3be255 67866->67868 67869 3be20f GetLastError 67866->67869 68289 3bff30 67867->68289 67868->67644 68299 3a2230 68 API calls 67869->68299 67870 3be1a5 68298 3adf00 66 API calls 67870->68298 67874 3be229 68300 3a44f0 94 API calls 67874->68300 67877 3be1bb 67877->67644 67878 3be23d 68301 3adf00 66 API calls 67878->68301 67881 3c475c 67880->67881 67885 3b8d96 67880->67885 67882 436199 std::_Facet_Register 2 API calls 67881->67882 67883 3c4766 67882->67883 68368 3e15e0 67883->68368 67886 3be580 67885->67886 67887 3be5b5 67886->67887 67909 3be6dc 67886->67909 67888 3be664 67887->67888 67914 3be5bd 67887->67914 68534 3bfd80 RaiseException 67888->68534 67889 3be92f 67890 3bc580 8 API calls 67889->67890 67892 3be93e 67890->67892 67897 3bc580 8 API calls 67892->67897 67893 3be762 67895 3be80d 67893->67895 67896 3be772 67893->67896 67894 3be66b 67898 3bea30 67894->67898 67904 3be67f 67894->67904 68462 3bc580 67895->68462 67900 3bc580 8 API calls 67896->67900 67903 3be808 67897->67903 68541 2b2970 RaiseException 67898->68541 67907 3be77d 67900->67907 67923 3be97e 67903->67923 67924 3be973 67903->67924 68535 3bfdd0 110 API calls 67904->68535 67906 3be60d 67906->67663 67932 3be925 67907->67932 68536 3bfd20 RaiseException 67907->68536 67908 3bea3c 67913 2a9b10 2 API calls 67908->67913 67909->67889 67909->67893 67910 3be694 67915 2bb330 38 API calls 67910->67915 67912 3be8b3 67919 3be8ce 67912->67919 68469 3c2380 67912->68469 68533 3bf950 307 API calls ___vcrt_freefls@4 67914->68533 67916 3be798 67916->67898 67920 3be7a9 67916->67920 68538 3a5170 42 API calls 67923->68538 67931 3be818 67931->67898 67931->67912 67934 3bc580 8 API calls 67931->67934 67936 3bea02 67932->67936 67939 43f5b6 ___vcrt_freefls@4 6 API calls 67932->67939 67934->67931 67936->67663 67939->67936 68007->67424 68008->67424 68009->67451 68011 3c2ae6 68010->68011 68012 3c2ac0 68010->68012 68708 2b2970 RaiseException 68011->68708 68012->68011 68013 3c2ad2 DeleteFileW 68012->68013 68013->68011 68013->68012 68015 3c2bb8 68017 3b7f25 68015->68017 68020 43f5b6 ___vcrt_freefls@4 6 API calls 68015->68020 68016 3c2bf4 68715 2b2970 RaiseException 68016->68715 68017->67529 68018 3c2b01 std::ios_base::_Ios_base_dtor 68018->68015 68018->68016 68709 3df6d0 68018->68709 68020->68017 68021 3c2c00 68023->67531 68024->67539 68025->67562 68026->67441 68027->67446 68029 3c3e7e EnumResourceLanguagesW 68028->68029 68030 3c3fe1 68028->68030 68038 3c3ebd 68029->68038 68030->67495 68031 3c3f0e 68034 43f5b6 ___vcrt_freefls@4 6 API calls 68031->68034 68037 3c3f1b 68031->68037 68032 3c4011 68717 2b2970 RaiseException 68032->68717 68034->68037 68035 3c3fbf 68035->68030 68036 43f5b6 ___vcrt_freefls@4 6 API calls 68035->68036 68036->68030 68037->68032 68037->68035 68038->68031 68038->68032 68039 3c3f50 68038->68039 68039->68037 68716 2bb3a0 37 API calls 3 library calls 68039->68716 68041 3c401d 68041->67495 68043->67452 68044->67491 68046 44dbdd ___free_lconv_mon 6 API calls 68045->68046 68047 43f5ce 68046->68047 68047->67538 68048->67570 68049->67580 68051->67503 68052->67511 68053->67511 68054->67618 68057 38ca0d 68055->68057 68058 38ca4b 68055->68058 68056 43f5b6 ___vcrt_freefls@4 6 API calls 68056->68058 68057->68056 68058->67618 68059->67618 68060->67618 68061->67618 68062->67618 68063->67651 68064->67619 68065->67585 68066->67593 68067->67604 68068->67630 68069->67635 68070 3ba570 384 API calls 4 library calls 68070->67620 68071->67625 68072->67642 68079->67600 68080->67729 68081->67733 68082->67748 68083->67748 68085 389785 68084->68085 68086 389746 68084->68086 68088 2a9b10 2 API calls 68085->68088 68094 389790 68085->68094 68087 389762 68086->68087 68095 2a98a0 38 API calls 68086->68095 68096 2a9910 37 API calls 4 library calls 68087->68096 68093 3897aa 68088->68093 68091 389772 68097 2a9910 37 API calls 4 library calls 68091->68097 68093->67759 68094->67759 68095->68087 68096->68091 68097->68085 68099 2a9e50 46 API calls 68098->68099 68100 3dc4ca 68099->68100 68101 3dc53a 68100->68101 68102 3dc4d0 68100->68102 68103 2a9b10 2 API calls 68101->68103 68105 3dc4fd 68102->68105 68106 3dc4f2 68102->68106 68104 3dc544 68103->68104 68116 3dbdb0 115 API calls std::_Locinfo::_Locinfo_dtor 68104->68116 68115 2a99c0 38 API calls 3 library calls 68105->68115 68114 2a9390 46 API calls 68106->68114 68110 3dc4fb 68111 2ba950 110 API calls 68110->68111 68113 3dc525 68111->68113 68112 3dc588 68112->67766 68113->67766 68114->68110 68115->68110 68116->68112 68118 3dc2b8 ReadFile 68117->68118 68119 3dc277 ConnectNamedPipe 68117->68119 68120 3dc34c 68118->68120 68121 3dc2e0 68118->68121 68119->68118 68122 3dc284 GetLastError 68119->68122 68125 2a9e50 46 API calls 68120->68125 68121->68120 68123 3dc2e5 68121->68123 68122->68118 68124 3dc291 68122->68124 68126 2b6990 55 API calls 68123->68126 68124->68118 68127 3dc297 68124->68127 68128 3dc351 68125->68128 68129 3dc2f0 68126->68129 68130 2a9e50 46 API calls 68127->68130 68131 3dc29c 68128->68131 68132 3dc357 68128->68132 68134 2a9650 38 API calls 68129->68134 68130->68131 68133 2a9b10 2 API calls 68131->68133 68137 3dc2a4 68131->68137 68132->68137 68135 3dc391 68133->68135 68136 3dc302 68134->68136 68138 3dc415 WriteFile 68135->68138 68139 3dc3d6 68135->68139 68136->67780 68137->67780 68140 3dc44c 68138->68140 68141 3dc432 68138->68141 68142 2a9e50 46 API calls 68139->68142 68145 3dc240 111 API calls 68140->68145 68143 2a9e50 46 API calls 68141->68143 68144 3dc3db 68142->68144 68146 3dc437 68143->68146 68147 3dc3e3 68144->68147 68149 2a9b10 2 API calls 68144->68149 68145->68146 68146->67780 68146->68144 68148 3dc43d 68146->68148 68147->67780 68148->68147 68150 3dc487 68149->68150 68151 2a9e50 46 API calls 68150->68151 68152 3dc4ca 68151->68152 68153 3dc53a 68152->68153 68154 3dc4d0 68152->68154 68155 2a9b10 2 API calls 68153->68155 68157 3dc4fd 68154->68157 68158 3dc4f2 68154->68158 68156 3dc544 68155->68156 68168 3dbdb0 115 API calls std::_Locinfo::_Locinfo_dtor 68156->68168 68167 2a99c0 38 API calls 3 library calls 68157->68167 68166 2a9390 46 API calls 68158->68166 68162 3dc588 68162->67780 68163 3dc4fb 68164 2ba950 110 API calls 68163->68164 68165 3dc525 68164->68165 68165->67780 68166->68163 68167->68163 68168->68162 68169->67786 68171 2a9e50 46 API calls 68170->68171 68172 38506e 68171->68172 68173 3851e0 68172->68173 68176 3851af 68172->68176 68181 3851d6 68172->68181 68185 3850e7 68172->68185 68174 2a9b10 2 API calls 68173->68174 68175 3851ea 68174->68175 68177 2a9b10 2 API calls 68175->68177 68178 43615a _ValidateLocalCookies 5 API calls 68176->68178 68179 3851f4 68177->68179 68180 3851d0 68178->68180 68182 38520b 68179->68182 68184 43f5b6 ___vcrt_freefls@4 6 API calls 68179->68184 68180->67801 68183 2a9b10 2 API calls 68181->68183 68182->67801 68183->68173 68186 385239 68184->68186 68187 3850f5 68185->68187 68196 385250 RtlAllocateHeap RaiseException std::_Facet_Register 68185->68196 68186->67801 68197 43f527 37 API calls 3 library calls 68187->68197 68190 38510d 68190->68175 68193 385141 68190->68193 68198 2a98a0 38 API calls 68190->68198 68192 385191 68192->68176 68199 385210 6 API calls ___vcrt_freefls@4 68192->68199 68193->68175 68193->68192 68193->68193 68195->67807 68196->68187 68197->68190 68198->68193 68199->68176 68200->67815 68201->67817 68202->67818 68205->67825 68207 2a9543 68206->68207 68221 2a95e2 68206->68221 68223 43f4a5 68207->68223 68208 2a9b10 2 API calls 68209 2a9637 68208->68209 68210 2a9b10 2 API calls 68209->68210 68212 2a9641 68210->68212 68214 2a9e50 46 API calls 68215 2a958f 68214->68215 68229 2a9450 68215->68229 68218 2a95c2 68239 43f4e6 68218->68239 68221->68208 68222 2a8e43 68221->68222 68222->68070 68224 43f4b9 __Getctype 68223->68224 68246 43b5bf 68224->68246 68230 2a94eb 68229->68230 68231 2a9481 68229->68231 68232 2a9b10 2 API calls 68230->68232 68234 2a94a1 68231->68234 68236 2a94ae 68231->68236 68233 2a94f5 68232->68233 68268 2a9390 46 API calls 68234->68268 68236->68236 68269 2a99c0 38 API calls 3 library calls 68236->68269 68238 2a94ac 68238->68218 68245 2a98a0 38 API calls 68238->68245 68240 43f4fa __Getctype 68239->68240 68270 43b7e1 68240->68270 68243 43ac4b __Getctype 37 API calls 68244 43f522 68243->68244 68244->68221 68245->68218 68247 43b5eb 68246->68247 68248 43b60e 68246->68248 68263 43ae92 37 API calls 2 library calls 68247->68263 68248->68247 68252 43b616 68248->68252 68250 43b603 68251 43615a _ValidateLocalCookies 5 API calls 68250->68251 68253 43b740 68251->68253 68264 43dd92 48 API calls __cftof 68252->68264 68257 43ac4b 68253->68257 68255 43b697 68265 43d2b4 6 API calls ___free_lconv_mon 68255->68265 68258 43ac57 68257->68258 68259 43ac6e 68258->68259 68266 43acf6 37 API calls __Getctype 68258->68266 68260 2a9563 68259->68260 68267 43acf6 37 API calls __Getctype 68259->68267 68260->68209 68260->68214 68260->68215 68263->68250 68264->68255 68265->68250 68266->68259 68267->68260 68268->68238 68269->68238 68271 43b810 68270->68271 68272 43b7ed 68270->68272 68277 43b837 68271->68277 68279 43b2c8 48 API calls 2 library calls 68271->68279 68278 43ae92 37 API calls 2 library calls 68272->68278 68276 43b808 68276->68243 68277->68276 68280 43ae92 37 API calls 2 library calls 68277->68280 68278->68276 68279->68277 68280->68276 68286 3df336 68281->68286 68282 3df38b SetFilePointer 68284 3df3a4 GetLastError 68282->68284 68285 3df3b2 ReadFile 68282->68285 68283 3df33d 68283->67864 68284->68283 68284->68285 68285->68283 68285->68286 68286->68282 68286->68283 68287 3df466 SetFilePointer 68286->68287 68287->68283 68288 3df48e ReadFile 68287->68288 68288->68283 68302 3c0b10 68289->68302 68291 3bff3f 68292 3be29c 68291->68292 68321 3c0ff0 68291->68321 68292->67644 68294->67852 68295->67851 68296->67862 68297->67870 68298->67877 68299->67874 68300->67878 68301->67868 68303 3c0bfd 68302->68303 68304 3c0b5b SetFilePointer 68302->68304 68303->68291 68304->68303 68305 3c0c11 68304->68305 68306 2a9e50 46 API calls 68305->68306 68307 3c0c31 68306->68307 68308 3c0f5a 68307->68308 68311 3c0c6f ReadFile 68307->68311 68317 3c0e20 68307->68317 68309 2a9b10 2 API calls 68308->68309 68310 3c0f64 68309->68310 68357 2b2970 RaiseException 68310->68357 68313 3c0edc GetLastError 68311->68313 68311->68317 68354 3a2230 68 API calls 68313->68354 68314 3c0f70 68314->68291 68316 3c0ef9 68355 3a44f0 94 API calls 68316->68355 68317->68291 68319 3c0f13 68356 3adf00 66 API calls 68319->68356 68322 3c102b SetFilePointer 68321->68322 68326 3c12ac 68321->68326 68323 3c10da 68322->68323 68324 3c1056 GetLastError 68322->68324 68323->68326 68327 3c1100 ReadFile 68323->68327 68358 3a2230 68 API calls 68324->68358 68326->68292 68329 3c1383 GetLastError 68327->68329 68353 3c1122 68327->68353 68328 3c1070 68359 3a44f0 94 API calls 68328->68359 68365 3a2230 68 API calls 68329->68365 68332 2a9e50 46 API calls 68332->68353 68333 3c13a0 68366 3a44f0 94 API calls 68333->68366 68334 3c1088 68360 3adf00 66 API calls 68334->68360 68336 3c13f9 68340 2a9b10 2 API calls 68336->68340 68337 3c13b5 68367 3adf00 66 API calls 68337->68367 68339 3c109e 68339->68292 68342 3c1403 68340->68342 68343 3c1182 ReadFile 68344 3c12d9 GetLastError 68343->68344 68343->68353 68362 3a2230 68 API calls 68344->68362 68346 3c12f6 68363 3a44f0 94 API calls 68346->68363 68349 3c1323 68349->68326 68350 3c130b 68364 3adf00 66 API calls 68350->68364 68352 2a9650 38 API calls 68352->68353 68353->68326 68353->68327 68353->68329 68353->68332 68353->68336 68353->68343 68353->68344 68353->68349 68353->68352 68361 2a99c0 38 API calls 3 library calls 68353->68361 68354->68316 68355->68319 68356->68308 68357->68314 68358->68328 68359->68334 68360->68339 68361->68353 68362->68346 68363->68350 68364->68349 68365->68333 68366->68337 68367->68349 68369 2a9e50 46 API calls 68368->68369 68370 3e1688 68369->68370 68371 3e17e9 68370->68371 68374 2a9e50 46 API calls 68370->68374 68372 2a9b10 2 API calls 68371->68372 68373 3e17f3 68372->68373 68392 3e18e0 IsWindow 68373->68392 68376 3e16ab 68374->68376 68376->68371 68378 2a9e50 46 API calls 68376->68378 68463 3bc5cb 68462->68463 68464 3bc5ba 68462->68464 68463->67931 68464->68463 68465 2a9b10 2 API calls 68464->68465 68466 3bc65a 68465->68466 68467 3bc691 68466->68467 68468 43f5b6 ___vcrt_freefls@4 6 API calls 68466->68468 68467->67931 68468->68467 68533->67906 68534->67894 68535->67910 68536->67916 68541->67908 68708->68018 68710 3df710 68709->68710 68711 3df745 68710->68711 68712 3df734 FreeLibrary 68710->68712 68713 3df799 68711->68713 68714 3df788 CloseHandle 68711->68714 68712->68711 68713->68018 68714->68713 68715->68021 68716->68039 68717->68041 68718 3b9490 68779 3ba570 384 API calls 4 library calls 68718->68779 68720 3b94c5 68780 3bdb70 96 API calls 2 library calls 68720->68780 68722 3b94cd 68747 3c4350 68722->68747 68725 3be0a0 132 API calls 68726 3b94e6 68725->68726 68727 3b94ea 68726->68727 68758 3aab60 48 API calls 68726->68758 68729 3b9514 68759 3b6200 68729->68759 68748 2bb330 38 API calls 68747->68748 68749 3c437e 68748->68749 68750 2bb330 38 API calls 68749->68750 68751 3c4387 68750->68751 68781 3e1080 68751->68781 68753 3c438f 68806 3cc7e0 56 API calls _ValidateLocalCookies 68753->68806 68755 3c439c 68756 2a8e30 66 API calls 68755->68756 68757 3b94df 68756->68757 68757->68725 68758->68729 68818 3be3a0 68759->68818 68762 3b6253 CreateFileW 68764 3b6291 SetFilePointer 68762->68764 68765 3b6280 68762->68765 68763 3b6346 68775 3abe90 68763->68775 68764->68765 68767 3b62ba 68764->68767 68765->68763 68766 3b6339 CloseHandle 68765->68766 68766->68763 68768 385030 47 API calls 68767->68768 68769 3b62c9 68768->68769 68770 3b62e4 ReadFile 68769->68770 68848 2a97c0 38 API calls 68769->68848 68770->68765 68772 3b62f7 68770->68772 68772->68765 68849 3d8a60 103 API calls 68772->68849 68773 3b62e1 68773->68770 68854 3c6b00 58 API calls std::_Locinfo::_Locinfo_dtor 68775->68854 68777 3abece 68855 3ac0b0 68777->68855 68779->68720 68780->68722 68782 2a9650 38 API calls 68781->68782 68783 3e10bf 68782->68783 68784 3e10e0 GetFileVersionInfoSizeW 68783->68784 68814 2a97c0 38 API calls 68783->68814 68787 3e1105 68784->68787 68788 3e10f8 68784->68788 68786 3e10dd 68786->68784 68787->68753 68788->68787 68789 3e112a GetFileVersionInfoW 68788->68789 68815 2a97c0 38 API calls 68788->68815 68789->68787 68790 3e1141 68789->68790 68793 2a9e50 46 API calls 68790->68793 68792 3e1127 68792->68789 68794 3e1146 68793->68794 68795 3e1290 68794->68795 68800 3e1150 68794->68800 68796 2a9b10 2 API calls 68795->68796 68797 3e129a 68796->68797 68807 3e12c0 68797->68807 68799 3e12a8 std::ios_base::_Ios_base_dtor 68799->68753 68801 2a8e30 66 API calls 68800->68801 68802 3e11a8 68801->68802 68804 3e11bf 68802->68804 68816 2a97c0 38 API calls 68802->68816 68804->68787 68817 2a99c0 38 API calls 3 library calls 68804->68817 68806->68755 68808 3e1338 68807->68808 68809 3e12f3 WaitForSingleObject 68807->68809 68808->68799 68810 3e132f CloseHandle 68809->68810 68811 3e1303 GetExitCodeThread 68809->68811 68810->68808 68811->68810 68812 3e131b 68811->68812 68812->68810 68813 3e1324 TerminateThread 68812->68813 68813->68810 68814->68786 68815->68792 68816->68804 68817->68787 68819 3be403 68818->68819 68820 3be447 68818->68820 68850 3bfd20 RaiseException 68819->68850 68851 3bfd80 RaiseException 68820->68851 68823 3be40c 68825 3be50a 68823->68825 68826 3be416 68823->68826 68824 3be44e 68824->68825 68827 3be456 68824->68827 68830 2a9e50 46 API calls 68825->68830 68828 3be41f 68826->68828 68829 3be563 68826->68829 68827->68829 68831 3be462 68827->68831 68833 2a9650 38 API calls 68828->68833 68853 2b2970 RaiseException 68829->68853 68834 3be51e 68830->68834 68852 3bfdd0 110 API calls 68831->68852 68838 3be43d 68833->68838 68837 3be56f 68834->68837 68834->68838 68836 3be477 FindFirstFileW 68839 3be4a9 68836->68839 68840 2a9b10 2 API calls 68837->68840 68843 43615a _ValidateLocalCookies 5 API calls 68838->68843 68841 2a9650 38 API calls 68839->68841 68842 3be579 68840->68842 68844 3be4b9 68841->68844 68845 3b623c 68843->68845 68846 3be4d8 FindClose 68844->68846 68847 3be4e6 68844->68847 68845->68762 68845->68763 68846->68847 68847->68838 68848->68773 68849->68765 68850->68823 68851->68824 68852->68836 68853->68837 68854->68777 68856 2a9e50 46 API calls 68855->68856 68857 3ac0e5 68856->68857 68860 2a9e50 46 API calls 68857->68860 68904 3ac2e6 68857->68904 68858 2a9b10 2 API calls 68859 3ac31b 68858->68859 68872 3ac36f 68859->68872 68925 3ac5f0 239 API calls _ValidateLocalCookies 68859->68925 68862 3ac10b 68860->68862 68861 3ac5c3 68863 43615a _ValidateLocalCookies 5 API calls 68861->68863 68868 2a9e50 46 API calls 68862->68868 68862->68904 68866 3ac5dd 68863->68866 68865 3ac5e1 68928 2b2970 RaiseException 68865->68928 68870 3ac12e 68868->68870 68869 3ac5ed 68874 2a9e50 46 API calls 68870->68874 68870->68904 68872->68861 68872->68865 68906 3c8ed0 96 API calls 68872->68906 68907 3aba60 68872->68907 68927 3ab0d0 RaiseException 68872->68927 68876 3ac151 68874->68876 68882 2a9e50 46 API calls 68876->68882 68876->68904 68879 3ac43e FindFirstFileW 68880 3ac471 FindClose 68879->68880 68881 3ac4aa 68879->68881 68880->68881 68881->68872 68884 3ac508 FindClose 68881->68884 68883 3ac174 68882->68883 68885 2a9e50 46 API calls 68883->68885 68883->68904 68884->68881 68886 3ac197 68885->68886 68887 2a9e50 46 API calls 68886->68887 68886->68904 68888 3ac1ba 68887->68888 68889 2a9e50 46 API calls 68888->68889 68888->68904 68890 3ac1dd 68889->68890 68891 2a9e50 46 API calls 68890->68891 68890->68904 68892 3ac200 68891->68892 68893 2a9e50 46 API calls 68892->68893 68892->68904 68894 3ac223 68893->68894 68895 2a9e50 46 API calls 68894->68895 68894->68904 68896 3ac246 68895->68896 68897 2a9e50 46 API calls 68896->68897 68896->68904 68898 3ac269 68897->68898 68899 2a9e50 46 API calls 68898->68899 68898->68904 68900 3ac2a8 68899->68900 68901 2a9e50 46 API calls 68900->68901 68900->68904 68902 3ac2c7 68901->68902 68903 2a9e50 46 API calls 68902->68903 68902->68904 68903->68904 68904->68858 68905 3ac2ea 68904->68905 68906->68872 68910 3aba95 68907->68910 68915 3abb51 68907->68915 68908 3abb38 68930 3ad100 112 API calls 68908->68930 68910->68908 68912 2bb330 38 API calls 68910->68912 68911 3abb41 68913 2bb330 38 API calls 68911->68913 68914 3abac2 68912->68914 68913->68915 68929 3a3870 117 API calls 68914->68929 68926 3c9820 110 API calls _wcschr 68915->68926 68917 3abaf1 68917->68908 68917->68915 68918 3abb8f 68917->68918 68919 2a9b10 2 API calls 68918->68919 68920 3abb99 68919->68920 68921 2a9e50 46 API calls 68920->68921 68922 3abbeb 68921->68922 68923 2a9b10 2 API calls 68922->68923 68924 3abd2b 68923->68924 68925->68859 68926->68879 68928->68869 68929->68917 68930->68911 68931 3c14d0 68932 2a9e50 46 API calls 68931->68932 68936 3c1525 68932->68936 68933 3c1f4f 68934 2a9b10 2 API calls 68933->68934 68935 3c1f59 68934->68935 68936->68933 68937 2a9e50 46 API calls 68936->68937 68938 3c1564 68937->68938 68938->68933 68939 2a9e50 46 API calls 68938->68939 68940 3c1582 68939->68940 68940->68933 68941 3c1681 68940->68941 69013 3a39b0 94 API calls 68940->69013 68942 2a9e50 46 API calls 68941->68942 68958 3c16be __set_se_translator 68942->68958 68944 3c15b3 68945 2bb330 38 API calls 68944->68945 68946 3c15c0 68945->68946 68950 2bb330 38 API calls 68946->68950 68947 3c1bf5 69001 3e0810 68947->69001 68948 436199 std::_Facet_Register 2 API calls 68948->68958 68952 3c1618 68950->68952 69014 3c2090 94 API calls 68952->69014 68953 3c1c43 68957 3c1dac CloseHandle 68953->68957 68990 3c1c4e 68953->68990 68955 3c1cca CreateEventW 68961 3c1ce1 68955->68961 68956 3c1cf7 CreateThread 68959 3c1d2b WaitForSingleObject GetExitCodeThread 68956->68959 68960 3c1d24 68956->68960 69041 3df930 273 API calls 68956->69041 68957->68990 68958->68933 68958->68947 68958->68948 68970 3c17cc 68958->68970 68972 3c1f43 68958->68972 68980 2a9e50 46 API calls 68958->68980 68981 39fde0 47 API calls 68958->68981 68983 2bb330 38 API calls 68958->68983 68958->68990 68991 3c1a75 __set_se_translator 68958->68991 68993 3a4920 120 API calls 68958->68993 68994 39f300 39 API calls 68958->68994 68995 3df7b0 68958->68995 69015 3a39b0 94 API calls 68958->69015 69016 3df850 CreateFileW 68958->69016 68962 3c1d6b 68959->68962 68963 3c1d43 68959->68963 68960->68959 68961->68956 68962->68953 68967 3c1d7a CloseHandle 68962->68967 68963->68953 68966 3c1d59 CloseHandle 68963->68966 68964 3c1dce CloseHandle 68965 3c1dd8 68964->68965 68968 38c9e0 6 API calls 68965->68968 68966->68953 68967->68953 68979 3c1e0c std::ios_base::_Ios_base_dtor 68968->68979 68969 3c1e8b 68971 43f5b6 ___vcrt_freefls@4 6 API calls 68969->68971 68974 3c1e9f 68969->68974 68971->68974 69023 2b2970 RaiseException 68972->69023 68975 43615a _ValidateLocalCookies 5 API calls 68974->68975 68976 3c1f2f 68975->68976 68977 3df6d0 2 API calls 68977->68979 68979->68969 68979->68972 68979->68977 68980->68958 68981->68958 68982 39fde0 47 API calls 68982->68991 68983->68958 68985 3c1a9e FindFirstFileW 68986 3c1ae2 FindClose 68985->68986 68985->68991 68986->68991 68988 2bb330 38 API calls 68988->68991 68989 3df850 274 API calls 68989->68991 68990->68964 68990->68965 68991->68958 68991->68982 68991->68985 68991->68988 68991->68989 68992 3c1c57 68991->68992 68992->68990 68993->68958 68994->68958 68996 3df7be LoadLibraryW 68995->68996 68997 3df7b9 68995->68997 69000 3df7d7 68996->69000 68997->68958 68998 3df7f7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 68998->68958 68999 3df7f1 68999->68958 69000->68998 69000->68999 69002 3e0848 CreateEventW 69001->69002 69003 3e0876 CreateThread 69001->69003 69004 3e085d 69002->69004 69005 3e098c WaitForSingleObject GetExitCodeThread 69003->69005 69006 3e08b2 69003->69006 69025 3e0bd0 69003->69025 69004->69003 69007 3e09b9 CloseHandle 69005->69007 69008 3c1c3d 69005->69008 69009 3e09dd 69006->69009 69011 3e0970 69006->69011 69007->69008 69008->68953 69008->68955 69008->68956 69024 2b2970 RaiseException 69009->69024 69011->69005 69012 3e09e9 69013->68944 69014->68941 69015->68958 69017 3df87d 69016->69017 69018 3df8f9 69017->69018 69019 2a9b10 2 API calls 69017->69019 69018->68958 69020 3df92b 69019->69020 69040 3df940 273 API calls ___vcrt_freefls@4 69020->69040 69022 3df939 69022->68958 69023->68933 69024->69012 69030 3e09f0 69025->69030 69027 3e0bd4 69028 3e09f0 RaiseException 69027->69028 69029 3e0bd9 69028->69029 69031 3e0a2a 69030->69031 69032 3e0b83 69031->69032 69039 2b2970 RaiseException 69031->69039 69032->69027 69034 3e0bc5 69035 3e09f0 RaiseException 69034->69035 69036 3e0bd4 69035->69036 69037 3e09f0 RaiseException 69036->69037 69038 3e0bd9 69037->69038 69038->69027 69039->69034 69040->69022 69042 2d21e0 69043 2d21f3 std::ios_base::_Ios_base_dtor 69042->69043 69048 437d0c 69043->69048 69046 2d2209 SetUnhandledExceptionFilter 69047 2d221b 69046->69047 69053 437d44 69048->69053 69050 437d15 69051 437d44 __set_se_translator 47 API calls 69050->69051 69052 2d21fd 69051->69052 69052->69046 69052->69047 69066 437d52 15 API calls 3 library calls 69053->69066 69055 437d49 69055->69050 69067 44f247 EnterCriticalSection __set_se_translator 69055->69067 69057 43fe16 69058 43fe21 69057->69058 69068 44f28c 37 API calls 6 library calls 69057->69068 69060 43fe2b IsProcessorFeaturePresent 69058->69060 69061 43fe4a 69058->69061 69062 43fe37 69060->69062 69070 44c73e 69061->69070 69069 43ad13 8 API calls 2 library calls 69062->69069 69066->69055 69067->69057 69068->69058 69069->69061 69073 44c5a5 69070->69073 69074 44c5e4 69073->69074 69075 44c5d2 69073->69075 69085 44c44e 69074->69085 69098 437247 GetModuleHandleW 69075->69098 69078 44c61b 69080 43fe54 69078->69080 69091 44c63c 69078->69091 69079 44c5d7 69079->69074 69099 44c68f GetModuleHandleExW 69079->69099 69080->69050 69086 44c45a __set_se_translator 69085->69086 69105 44a89a EnterCriticalSection 69086->69105 69088 44c464 69106 44c4ba 69088->69106 69090 44c471 __set_se_translator 69090->69078 69168 44c66d 69091->69168 69094 44c65a 69096 44c68f __set_se_translator 3 API calls 69094->69096 69095 44c64a GetCurrentProcess TerminateProcess 69095->69094 69097 44c662 ExitProcess 69096->69097 69098->69079 69100 44c6ce GetProcAddress 69099->69100 69101 44c6ef 69099->69101 69100->69101 69102 44c6e2 69100->69102 69103 44c6f5 FreeLibrary 69101->69103 69104 44c5e3 69101->69104 69102->69101 69103->69104 69104->69074 69105->69088 69107 44c4c6 __set_se_translator 69106->69107 69108 44c52d 69107->69108 69113 44c55b 69107->69113 69114 44d049 69107->69114 69109 44c54a 69108->69109 69118 44d2ed 69108->69118 69110 44d2ed __set_se_translator 37 API calls 69109->69110 69110->69113 69113->69090 69115 44d055 __EH_prolog3 69114->69115 69122 44cda1 69115->69122 69117 44d07c std::locale::_Init 69117->69108 69119 44d314 69118->69119 69120 44d2fb 69118->69120 69119->69109 69120->69119 69133 2a1990 69120->69133 69123 44cdad __set_se_translator 69122->69123 69128 44a89a EnterCriticalSection 69123->69128 69125 44cdbb 69129 44cf59 69125->69129 69127 44cdc8 __set_se_translator 69127->69117 69128->69125 69130 44cf78 69129->69130 69131 44cf70 69129->69131 69130->69131 69132 44dbdd ___free_lconv_mon 6 API calls 69130->69132 69131->69127 69132->69131 69134 2a19cd 69133->69134 69141 2a6450 69134->69141 69136 2a1a67 69151 43651a 37 API calls 69136->69151 69138 2a1a8d 69139 43615a _ValidateLocalCookies 5 API calls 69138->69139 69140 2a1aa5 69139->69140 69140->69120 69142 2a6505 69141->69142 69143 2a64b1 69141->69143 69142->69136 69144 2a64b9 69143->69144 69145 2a6536 69143->69145 69152 2a6aa0 69144->69152 69167 2a69c0 37 API calls 69145->69167 69149 2a64bf 69149->69142 69150 2a6540 37 API calls 69149->69150 69150->69149 69151->69138 69153 2a6aab 69152->69153 69154 2a6aef 69152->69154 69156 2a6ab8 69153->69156 69159 2a6ada 69153->69159 69155 2a7630 37 API calls 69154->69155 69164 2a6ac5 69155->69164 69156->69154 69157 2a6abf 69156->69157 69161 436199 std::_Facet_Register RaiseException EnterCriticalSection 69157->69161 69158 2a6aea 69158->69149 69159->69158 69162 436199 std::_Facet_Register RaiseException EnterCriticalSection 69159->69162 69160 43af1f 37 API calls 69163 2a6af9 69160->69163 69161->69164 69165 2a6ae4 69162->69165 69164->69160 69166 2a6ace 69164->69166 69165->69149 69166->69149 69173 45783e GetPEB __set_se_translator 69168->69173 69170 44c672 69171 44c677 GetPEB 69170->69171 69172 44c646 69170->69172 69171->69172 69172->69094 69172->69095 69173->69170 69174 3e0f70 69183 3e0be0 69174->69183 69177 3e102e GetLastError 69179 3e0fda 69177->69179 69178 3e0fca 69178->69179 69181 3e0fe1 GetFileVersionInfoW 69178->69181 69180 3e1040 DeleteFileW 69179->69180 69182 3e1047 69179->69182 69180->69182 69181->69177 69181->69179 69198 3a29d0 69183->69198 69186 3e0c25 SHGetFolderPathW 69188 3e0c43 __set_se_translator 69186->69188 69187 3e0d8a 69189 43615a _ValidateLocalCookies 5 API calls 69187->69189 69188->69187 69191 3e0cba GetTempPathW 69188->69191 69190 3e0db8 GetFileVersionInfoSizeW 69189->69190 69190->69177 69190->69178 69205 438750 69191->69205 69195 3e0d0e Wow64DisableWow64FsRedirection CopyFileW 69196 3e0d60 69195->69196 69196->69187 69197 3e0d78 Wow64RevertWow64FsRedirection 69196->69197 69197->69187 69199 3a2b00 72 API calls 69198->69199 69200 3a29f9 69199->69200 69201 436662 4 API calls 69200->69201 69202 3a2aa7 69200->69202 69203 3a2a20 __set_se_translator 69201->69203 69202->69186 69202->69187 69203->69202 69209 436618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69203->69209 69206 3e0ce2 GetTempFileNameW 69205->69206 69207 3e0e20 69206->69207 69208 3e0e2a 69207->69208 69208->69195 69209->69202 69210 435d0d GetProcessHeap HeapAlloc 69211 435d25 69210->69211 69212 435d29 69210->69212 69220 435a9f 69212->69220 69214 435d34 69215 435d50 69214->69215 69217 435d44 69214->69217 69234 435bab 15 API calls __set_se_translator 69215->69234 69218 435d6e 69217->69218 69219 435d5d GetProcessHeap HeapFree 69217->69219 69219->69211 69221 435ab9 LoadLibraryExA 69220->69221 69222 435aac DecodePointer 69220->69222 69223 435ad2 69221->69223 69224 435b4a 69221->69224 69222->69214 69235 435b4f GetProcAddress EncodePointer 69223->69235 69224->69214 69226 435ae2 69226->69224 69236 435b4f GetProcAddress EncodePointer 69226->69236 69228 435af9 69228->69224 69237 435b4f GetProcAddress EncodePointer 69228->69237 69230 435b10 69230->69224 69238 435b4f GetProcAddress EncodePointer 69230->69238 69232 435b27 69232->69224 69233 435b2e DecodePointer 69232->69233 69233->69224 69234->69217 69235->69226 69236->69228 69237->69230 69238->69232 69239 3ef190 69250 3eeab0 69239->69250 69242 3ef1ba 69259 3ef260 69242->69259 69245 2a7070 37 API calls 69245->69242 69247 3ef1d1 69297 3ef7a0 49 API calls 4 library calls 69247->69297 69249 3ef1dc 69251 2a7070 37 API calls 69250->69251 69252 3eeac8 69251->69252 69253 3eeae0 69252->69253 69254 2a77d0 37 API calls 69252->69254 69298 3f1130 69253->69298 69254->69252 69256 3eeaf8 69258 3eeb1e 69256->69258 69302 2a85c0 37 API calls std::ios_base::_Ios_base_dtor 69256->69302 69258->69242 69258->69245 69260 3ef2aa 69259->69260 69261 3ef5b1 69259->69261 69263 2a7070 37 API calls 69260->69263 69262 43615a _ValidateLocalCookies 5 API calls 69261->69262 69264 3ef1ca 69262->69264 69265 3ef2d0 69263->69265 69296 3ef5e0 48 API calls _ValidateLocalCookies 69264->69296 69266 3ef472 69265->69266 69285 3ef2df 69265->69285 69268 2a6e80 37 API calls 69266->69268 69267 3ef3c2 69269 2a8e50 37 API calls 69267->69269 69268->69267 69270 3ef3d6 69269->69270 69304 2a8ef0 69270->69304 69271 2a6e80 37 API calls 69271->69285 69273 2a7070 37 API calls 69273->69285 69276 2a6e80 37 API calls 69277 3ef405 69276->69277 69279 2a77d0 37 API calls 69277->69279 69278 2a8ef0 37 API calls 69278->69285 69280 3ef411 69279->69280 69281 2a77d0 37 API calls 69280->69281 69282 3ef41d 69281->69282 69283 2a6e80 37 API calls 69282->69283 69295 3ef44e 69282->69295 69284 3ef430 69283->69284 69287 2a6e80 37 API calls 69284->69287 69285->69267 69285->69271 69285->69273 69285->69278 69286 2a77d0 37 API calls 69285->69286 69308 2c92b0 37 API calls 69285->69308 69286->69285 69287->69295 69288 3ef556 69289 2a77d0 37 API calls 69288->69289 69289->69261 69290 2a7070 37 API calls 69290->69295 69292 2a8ef0 37 API calls 69292->69295 69293 2a6e80 37 API calls 69293->69295 69294 2a77d0 37 API calls 69294->69295 69295->69288 69295->69290 69295->69292 69295->69293 69295->69294 69309 2c92b0 37 API calls 69295->69309 69296->69247 69297->69249 69299 3f1196 69298->69299 69301 3f1162 std::ios_base::_Ios_base_dtor 69298->69301 69299->69256 69301->69299 69303 2ca8a0 37 API calls std::ios_base::_Ios_base_dtor 69301->69303 69302->69256 69303->69301 69305 2a8f30 69304->69305 69305->69305 69306 2a6e80 37 API calls 69305->69306 69307 2a8f4b 69306->69307 69307->69276 69308->69285 69309->69295 69310 38dda0 69311 38ddd9 69310->69311 69312 38de42 RegCreateKeyExW 69310->69312 69314 38ddde GetModuleHandleW 69311->69314 69315 38de35 69311->69315 69313 38de3b 69312->69313 69316 38de74 69313->69316 69319 38de6b RegCloseKey 69313->69319 69317 38dded 69314->69317 69318 38de06 GetProcAddress 69314->69318 69315->69312 69315->69313 69318->69313 69320 38de16 69318->69320 69319->69316 69320->69313 69321 387fe0 69322 388017 69321->69322 69328 388057 69321->69328 69323 436662 4 API calls 69322->69323 69324 388021 69323->69324 69324->69328 69329 43651a 37 API calls 69324->69329 69326 388043 69330 436618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69326->69330 69329->69326 69330->69328 69331 396da0 69332 396deb 69331->69332 69335 396dd8 69331->69335 69339 3874e0 49 API calls 3 library calls 69332->69339 69334 396df5 69337 2a77d0 37 API calls 69334->69337 69336 43615a _ValidateLocalCookies 5 API calls 69335->69336 69338 396e3a 69336->69338 69337->69335 69339->69334 69340 2a8750 69341 2a875a CloseHandle 69340->69341 69342 2a8768 69340->69342 69341->69342 69343 2b27b1 69344 2b2837 69343->69344 69345 2b285c GetWindowLongW CallWindowProcW 69344->69345 69346 2b2846 CallWindowProcW 69344->69346 69349 2b28ab 69344->69349 69347 2b2890 GetWindowLongW 69345->69347 69345->69349 69346->69349 69348 2b289d SetWindowLongW 69347->69348 69347->69349 69348->69349 69350 3b6660 69414 3b64d0 69350->69414 69352 3b66ac 69500 3da240 GetUserNameW 69352->69500 69355 2a7070 37 API calls 69356 3b6729 69355->69356 69357 3b67a6 69356->69357 69359 436662 4 API calls 69356->69359 69358 2a6540 37 API calls 69357->69358 69368 3b67b5 69358->69368 69360 3b674c 69359->69360 69360->69357 69361 2a7070 37 API calls 69360->69361 69362 3b678b 69361->69362 69524 43651a 37 API calls 69362->69524 69364 436199 std::_Facet_Register 2 API calls 69366 3b6870 69364->69366 69365 3b6795 69525 436618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69365->69525 69369 2a7070 37 API calls 69366->69369 69368->69364 69370 3b68cc 69369->69370 69371 2a7070 37 API calls 69370->69371 69372 3b6929 69371->69372 69373 2a6540 37 API calls 69372->69373 69374 3b6945 69373->69374 69375 2a6540 37 API calls 69374->69375 69376 3b6958 69375->69376 69377 2a6540 37 API calls 69376->69377 69378 3b6968 69377->69378 69379 2a6540 37 API calls 69378->69379 69380 3b697a 69379->69380 69381 2a77d0 37 API calls 69380->69381 69382 3b69be 69381->69382 69383 2a77d0 37 API calls 69382->69383 69384 3b69d6 69383->69384 69385 2a77d0 37 API calls 69384->69385 69407 3b6a37 std::ios_base::_Ios_base_dtor 69384->69407 69389 3b6a14 69385->69389 69386 2a77d0 37 API calls 69390 3b6aae 69386->69390 69387 2a77d0 37 API calls 69388 3b6a6b 69387->69388 69391 2a77d0 37 API calls 69388->69391 69392 2a77d0 37 API calls 69389->69392 69393 2a77d0 37 API calls 69390->69393 69394 3b6a77 69391->69394 69395 3b6a20 69392->69395 69396 3b6aba 69393->69396 69397 2a77d0 37 API calls 69394->69397 69398 2a77d0 37 API calls 69395->69398 69399 2a77d0 37 API calls 69396->69399 69400 3b6a83 69397->69400 69401 3b6a2c 69398->69401 69402 3b6ac9 69399->69402 69404 2a77d0 37 API calls 69400->69404 69405 2a77d0 37 API calls 69401->69405 69403 3b6ad8 69402->69403 69408 3b6b06 GetCurrentProcess OpenProcessToken 69402->69408 69411 43615a _ValidateLocalCookies 5 API calls 69403->69411 69406 3b6a8e std::ios_base::_Ios_base_dtor 69404->69406 69405->69407 69406->69386 69407->69387 69407->69406 69409 3b6b4c 69408->69409 69410 3b6b20 GetTokenInformation 69408->69410 69409->69403 69413 3b6b82 CloseHandle 69409->69413 69410->69409 69412 3b6bd3 69411->69412 69413->69403 69415 2a9e50 46 API calls 69414->69415 69416 3b650a 69415->69416 69417 3b664f 69416->69417 69526 3cce80 49 API calls 69416->69526 69418 2a9b10 2 API calls 69417->69418 69419 3b6659 69418->69419 69422 3b64d0 129 API calls 69419->69422 69421 3b6533 69423 3b654c 69421->69423 69424 3b6554 GetTickCount 69421->69424 69425 3b66ac 69422->69425 69423->69424 69527 435347 GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __Xtime_get_ticks 69424->69527 69426 3da240 42 API calls 69425->69426 69428 3b66be 69426->69428 69430 2a7070 37 API calls 69428->69430 69429 3b6561 69431 2a9e50 46 API calls 69429->69431 69432 3b6729 69430->69432 69433 3b6581 69431->69433 69434 3b67a6 69432->69434 69436 436662 4 API calls 69432->69436 69433->69417 69438 3b6589 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 69433->69438 69435 2a6540 37 API calls 69434->69435 69451 3b67b5 69435->69451 69437 3b674c 69436->69437 69437->69434 69439 2a7070 37 API calls 69437->69439 69441 2a8e30 66 API calls 69438->69441 69440 3b678b 69439->69440 69530 43651a 37 API calls 69440->69530 69443 3b65bb 69441->69443 69528 3cce80 49 API calls 69443->69528 69444 436199 std::_Facet_Register 2 API calls 69447 3b6870 69444->69447 69445 3b6795 69531 436618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69445->69531 69453 2a7070 37 API calls 69447->69453 69449 3b65cc 69529 3ccfc0 121 API calls 69449->69529 69451->69444 69452 3b65da 69454 2a9650 38 API calls 69452->69454 69455 3b68cc 69453->69455 69457 3b65e9 69454->69457 69456 2a7070 37 API calls 69455->69456 69458 3b6929 69456->69458 69457->69352 69459 2a6540 37 API calls 69458->69459 69460 3b6945 69459->69460 69461 2a6540 37 API calls 69460->69461 69462 3b6958 69461->69462 69463 2a6540 37 API calls 69462->69463 69464 3b6968 69463->69464 69465 2a6540 37 API calls 69464->69465 69466 3b697a 69465->69466 69467 2a77d0 37 API calls 69466->69467 69468 3b69be 69467->69468 69469 2a77d0 37 API calls 69468->69469 69470 3b69d6 69469->69470 69471 2a77d0 37 API calls 69470->69471 69493 3b6a37 std::ios_base::_Ios_base_dtor 69470->69493 69475 3b6a14 69471->69475 69472 2a77d0 37 API calls 69476 3b6aae 69472->69476 69473 2a77d0 37 API calls 69474 3b6a6b 69473->69474 69477 2a77d0 37 API calls 69474->69477 69478 2a77d0 37 API calls 69475->69478 69479 2a77d0 37 API calls 69476->69479 69480 3b6a77 69477->69480 69481 3b6a20 69478->69481 69482 3b6aba 69479->69482 69483 2a77d0 37 API calls 69480->69483 69484 2a77d0 37 API calls 69481->69484 69485 2a77d0 37 API calls 69482->69485 69486 3b6a83 69483->69486 69487 3b6a2c 69484->69487 69488 3b6ac9 69485->69488 69490 2a77d0 37 API calls 69486->69490 69491 2a77d0 37 API calls 69487->69491 69489 3b6ad8 69488->69489 69494 3b6b06 GetCurrentProcess OpenProcessToken 69488->69494 69497 43615a _ValidateLocalCookies 5 API calls 69489->69497 69492 3b6a8e std::ios_base::_Ios_base_dtor 69490->69492 69491->69493 69492->69472 69493->69473 69493->69492 69495 3b6b4c 69494->69495 69496 3b6b20 GetTokenInformation 69494->69496 69495->69489 69499 3b6b82 CloseHandle 69495->69499 69496->69495 69498 3b6bd3 69497->69498 69498->69352 69499->69489 69501 3da31e GetEnvironmentVariableW 69500->69501 69502 3da2d4 GetLastError 69500->69502 69503 3da35e 69501->69503 69511 3da3a2 69501->69511 69502->69501 69504 3da2df 69502->69504 69505 3da365 69503->69505 69533 2d3200 37 API calls 2 library calls 69503->69533 69506 3da2e9 69504->69506 69532 2d3200 37 API calls 2 library calls 69504->69532 69507 3da38a GetEnvironmentVariableW 69505->69507 69509 3da30c GetUserNameW 69506->69509 69507->69511 69509->69501 69512 3da3ea 69511->69512 69513 2a7070 37 API calls 69511->69513 69514 2a6e80 37 API calls 69512->69514 69513->69512 69515 3da3ff 69514->69515 69516 2a6e80 37 API calls 69515->69516 69517 3da415 69516->69517 69518 2a77d0 37 API calls 69517->69518 69519 3da421 69518->69519 69520 2a77d0 37 API calls 69519->69520 69521 3da42d 69520->69521 69522 43615a _ValidateLocalCookies 5 API calls 69521->69522 69523 3b66be 69522->69523 69523->69355 69524->69365 69525->69357 69526->69421 69527->69429 69528->69449 69529->69452 69530->69445 69531->69434 69532->69509 69533->69507 69534 3b3cc0 69535 3b3d1a GetShortPathNameW 69534->69535 69536 3b3cf2 69534->69536 69538 3b3d2b 69535->69538 69557 3b3cff 69535->69557 69587 38bb60 RtlAllocateHeap RaiseException 69536->69587 69540 2a9e50 46 API calls 69538->69540 69539 3b3cf7 69541 2a9710 2 API calls 69539->69541 69546 3b3d30 69540->69546 69541->69557 69542 3b3e17 69543 2a9b10 2 API calls 69542->69543 69544 3b3e21 69543->69544 69547 2a9e50 46 API calls 69544->69547 69545 3b3e0d 69549 2a9b10 2 API calls 69545->69549 69546->69542 69546->69545 69548 3b3d71 69546->69548 69588 2a98a0 38 API calls 69546->69588 69550 3b3e61 69547->69550 69548->69545 69552 3b3d7d GetShortPathNameW 69548->69552 69549->69542 69553 3b402f 69550->69553 69556 3b3e6b 69550->69556 69552->69557 69558 3b3d97 std::_Locinfo::_Locinfo_dtor 69552->69558 69554 2a9b10 2 API calls 69553->69554 69555 3b4039 69554->69555 69590 3b4040 69556->69590 69558->69545 69559 3b3db4 69558->69559 69589 38ba20 40 API calls 69559->69589 69562 3b3dca 69564 2bb330 38 API calls 69562->69564 69563 3b3ec2 69565 3b3fe5 69563->69565 69566 2a7070 37 API calls 69563->69566 69564->69557 69724 2a69d0 37 API calls std::ios_base::_Ios_base_dtor 69565->69724 69568 3b3f02 69566->69568 69570 3b4040 303 API calls 69568->69570 69569 3b3ff1 69571 43615a _ValidateLocalCookies 5 API calls 69569->69571 69572 3b3f15 69570->69572 69573 3b4029 69571->69573 69574 2a77d0 37 API calls 69572->69574 69575 3b3f24 69574->69575 69575->69565 69576 2a7070 37 API calls 69575->69576 69577 3b3f66 69576->69577 69578 3b4040 303 API calls 69577->69578 69579 3b3f79 69578->69579 69580 2a77d0 37 API calls 69579->69580 69581 3b3f88 69580->69581 69581->69565 69582 2a7070 37 API calls 69581->69582 69583 3b3fc6 69582->69583 69584 3b4040 303 API calls 69583->69584 69585 3b3fd9 69584->69585 69586 2a77d0 37 API calls 69585->69586 69586->69565 69587->69539 69588->69548 69589->69562 69591 2a9e50 46 API calls 69590->69591 69592 3b4078 69591->69592 69593 3b42e3 69592->69593 69594 3b4082 69592->69594 69595 2a9b10 2 API calls 69593->69595 69599 2b6990 55 API calls 69594->69599 69596 3b42ed 69595->69596 69597 2a9b10 2 API calls 69596->69597 69598 3b42f7 69597->69598 69601 3b4399 69598->69601 69602 3b461e 69598->69602 69676 3b471a 69598->69676 69600 3b40ac 69599->69600 69604 2b6990 55 API calls 69600->69604 69810 3cfc00 157 API calls _ValidateLocalCookies 69601->69810 69606 2a9e50 46 API calls 69602->69606 69603 2a9e50 46 API calls 69607 3b4740 69603->69607 69608 3b40c6 69604->69608 69610 3b4623 69606->69610 69611 3b4a5b 69607->69611 69620 3b4764 69607->69620 69635 3b47ab 69607->69635 69612 2a9e50 46 API calls 69608->69612 69609 3b439e 69613 3b449c 69609->69613 69614 3b43a6 69609->69614 69610->69611 69725 3bea50 69610->69725 69615 2a9b10 2 API calls 69611->69615 69616 3b40cf 69612->69616 69814 2aaf80 64 API calls _ValidateLocalCookies 69613->69814 69618 2a9e50 46 API calls 69614->69618 69619 3b4a65 69615->69619 69616->69596 69621 3b40d9 69616->69621 69623 3b43ab 69618->69623 69821 393c70 48 API calls 2 library calls 69620->69821 69631 3b40f9 69621->69631 69632 3b4104 69621->69632 69622 3b44b0 69625 3b44ca 69622->69625 69628 2a77d0 37 API calls 69622->69628 69623->69611 69811 3adf00 66 API calls 69623->69811 69629 2a77d0 37 API calls 69625->69629 69627 3b4776 69636 2a8e30 66 API calls 69627->69636 69628->69625 69633 3b450f 69629->69633 69630 3b4675 69819 3a44f0 94 API calls 69630->69819 69806 2a9390 46 API calls 69631->69806 69807 2a99c0 38 API calls 3 library calls 69632->69807 69815 3cff90 49 API calls std::ios_base::_Ios_base_dtor 69633->69815 69645 2a9e50 46 API calls 69635->69645 69641 3b4794 69636->69641 69646 2a77d0 37 API calls 69641->69646 69642 3b4102 69652 2b6990 55 API calls 69642->69652 69643 3b451e 69816 393c70 48 API calls 2 library calls 69643->69816 69644 3b43e2 69648 3b446f 69644->69648 69654 2a9e50 46 API calls 69644->69654 69667 3b47fd 69645->69667 69650 3b47a6 69646->69650 69813 3adb40 235 API calls 69648->69813 69649 3b4686 69658 2a7070 37 API calls 69649->69658 69663 2a9e50 46 API calls 69650->69663 69651 3b4534 69661 2b6990 55 API calls 69651->69661 69655 3b412a 69652->69655 69657 3b43f9 69654->69657 69808 39f980 38 API calls 2 library calls 69655->69808 69656 3b447c 69668 2a77d0 37 API calls 69656->69668 69657->69611 69660 3b4403 69657->69660 69662 3b46f5 69658->69662 69680 3b442b 69660->69680 69691 3b443c 69660->69691 69665 3b454c 69661->69665 69820 393e80 47 API calls _ValidateLocalCookies 69662->69820 69677 3b48c9 69663->69677 69664 3b4149 69672 2b6990 55 API calls 69664->69672 69669 39f300 39 API calls 69665->69669 69667->69611 69685 2a8e30 66 API calls 69667->69685 69671 3b4a3c 69668->69671 69681 3b4584 69669->69681 69670 3b470b 69673 2a77d0 37 API calls 69670->69673 69674 43615a _ValidateLocalCookies 5 API calls 69671->69674 69675 3b415c 69672->69675 69673->69676 69679 3b4a55 69674->69679 69688 2b6990 55 API calls 69675->69688 69676->69603 69677->69611 69683 2a9e50 46 API calls 69677->69683 69679->69563 69686 2ba950 110 API calls 69680->69686 69687 38c9e0 6 API calls 69681->69687 69689 3b48f8 69683->69689 69684 3b4453 69684->69648 69690 3b4873 69685->69690 69686->69691 69692 3b45b4 69687->69692 69693 3b4173 69688->69693 69689->69611 69694 3b4902 SHGetFolderPathW 69689->69694 69695 2a8e30 66 API calls 69690->69695 69812 3d74c0 231 API calls 69691->69812 69699 2a77d0 37 API calls 69692->69699 69809 3cf880 126 API calls std::_Locinfo::_Locinfo_dtor 69693->69809 69703 3b492f 69694->69703 69704 3b4982 69694->69704 69698 3b488b 69695->69698 69822 2a69d0 37 API calls std::ios_base::_Ios_base_dtor 69698->69822 69702 3b45ed 69699->69702 69706 3b460a 69702->69706 69707 3b45f6 69702->69707 69703->69704 69711 3b4945 PathFileExistsW 69703->69711 69824 3d4900 144 API calls 69704->69824 69818 3b4a70 8 API calls 69706->69818 69817 3b4a70 8 API calls 69707->69817 69709 3b4998 69716 3b4605 69709->69716 69825 3adb40 235 API calls 69709->69825 69711->69704 69713 3b4956 69711->69713 69712 3b4619 69712->69676 69823 2a99c0 38 API calls 3 library calls 69713->69823 69715 3b4196 69717 3b428c 69715->69717 69718 3b425c PathFileExistsW 69715->69718 69716->69656 69721 43615a _ValidateLocalCookies 5 API calls 69717->69721 69718->69717 69719 3b4267 69718->69719 69719->69717 69722 2a7070 37 API calls 69719->69722 69723 3b42dd 69721->69723 69722->69717 69723->69563 69724->69569 69726 3bea81 69725->69726 69727 3beb04 69725->69727 69842 3bfd20 RaiseException 69726->69842 69844 3bfd80 RaiseException 69727->69844 69730 3bea8a 69732 3beb73 69730->69732 69734 3bea9d 69730->69734 69731 3beb0b 69731->69732 69735 3beb17 69731->69735 69826 2b2970 RaiseException 69732->69826 69737 39fde0 47 API calls 69734->69737 69845 3bfdd0 110 API calls 69735->69845 69736 3beb7f 69741 2a9650 38 API calls 69736->69741 69739 3beab4 69737->69739 69742 2bb330 38 API calls 69739->69742 69740 3beb2c 69743 2bb330 38 API calls 69740->69743 69744 3bebb4 69741->69744 69745 3beac7 69742->69745 69746 3beb02 69743->69746 69747 3bebcc 69744->69747 69748 3bec27 69744->69748 69750 39f300 39 API calls 69745->69750 69746->69630 69846 3bfd20 RaiseException 69747->69846 69788 3bec22 69748->69788 69848 3c2090 94 API calls 69748->69848 69754 3beaf7 69750->69754 69752 3bebee 69756 3bed43 69752->69756 69760 3bebff 69752->69760 69843 3c0000 RtlAllocateHeap RaiseException RaiseException 69754->69843 69755 3bec3b 69758 2ba950 110 API calls 69755->69758 69852 2b2970 RaiseException 69756->69852 69774 3bec4d 69758->69774 69847 3a39b0 94 API calls 69760->69847 69762 3bed4f 69765 3bed81 69762->69765 69766 3bee46 69762->69766 69763 3bec10 69767 2ba950 110 API calls 69763->69767 69764 3becff 69764->69630 69853 3bff90 RtlAllocateHeap RaiseException RaiseException 69765->69853 69770 3bee93 69766->69770 69775 3beef4 69766->69775 69782 3bee7c 69766->69782 69783 3bee6a 69766->69783 69767->69788 69769 3bec99 69850 3bfd80 RaiseException 69769->69850 69855 3bfdd0 110 API calls 69770->69855 69773 3bed39 69777 2a9b10 2 API calls 69773->69777 69774->69769 69774->69773 69781 3bec88 69774->69781 69776 2a9b10 2 API calls 69775->69776 69786 3beefe 69776->69786 69777->69756 69778 3bee9f 69789 2bb330 38 API calls 69778->69789 69779 3bed8c 69780 3bed9c 69779->69780 69854 3bff90 RtlAllocateHeap RaiseException RaiseException 69779->69854 69784 3bee01 69780->69784 69796 3bee7a 69780->69796 69798 39fde0 47 API calls 69780->69798 69781->69769 69849 2bb4c0 38 API calls 69781->69849 69782->69775 69787 3bee81 69782->69787 69783->69787 69792 3bee71 69783->69792 69805 3bee2c 69784->69805 69856 2b2970 RaiseException 69784->69856 69785 3beca2 69785->69756 69794 3becb6 69785->69794 69787->69770 69795 3bee88 69787->69795 69827 3a3de0 69788->69827 69789->69796 69797 2bb330 38 API calls 69792->69797 69851 3a39b0 94 API calls 69794->69851 69800 2bb330 38 API calls 69795->69800 69796->69630 69797->69796 69801 3bedee 69798->69801 69800->69796 69803 2bb330 38 API calls 69801->69803 69802 3becc7 69804 2ba950 110 API calls 69802->69804 69803->69784 69804->69788 69805->69630 69806->69642 69807->69642 69808->69664 69809->69715 69810->69609 69811->69644 69812->69684 69813->69656 69814->69622 69815->69643 69816->69651 69817->69716 69818->69712 69819->69649 69820->69670 69821->69627 69822->69650 69823->69704 69824->69709 69825->69716 69826->69736 69828 2a9650 38 API calls 69827->69828 69829 3a3e23 69828->69829 69830 2ba950 110 API calls 69829->69830 69831 3a3e6a 69830->69831 69857 387720 69831->69857 69833 3a3f84 69864 3877d0 69833->69864 69836 3a3f20 GetFileAttributesW 69841 3a3e72 69836->69841 69837 43615a _ValidateLocalCookies 5 API calls 69838 3a3fcd 69837->69838 69838->69764 69839 3a3de0 111 API calls 69839->69836 69840 3a3f69 FindNextFileW 69840->69833 69840->69841 69841->69833 69841->69836 69841->69839 69841->69840 69842->69730 69844->69731 69845->69740 69846->69752 69847->69763 69848->69755 69849->69769 69850->69785 69851->69802 69852->69762 69853->69779 69854->69780 69855->69778 69856->69775 69858 387782 __set_se_translator 69857->69858 69859 2a9e50 46 API calls 69858->69859 69860 38779a 69859->69860 69861 3877a0 69860->69861 69862 2a9b10 2 API calls 69860->69862 69861->69841 69863 3877ce 69862->69863 69865 387821 69864->69865 69866 38786a 69865->69866 69867 38785d FindClose 69865->69867 69866->69837 69867->69866 69868 2c9cf0 69869 2c9d5b 69868->69869 69871 2c9d25 std::ios_base::_Ios_base_dtor 69868->69871 69870 2a77d0 37 API calls 69870->69871 69871->69869 69871->69870

                                        Executed Functions

                                        Function 003B7D70 Relevance: 43.7, APIs: 2, Strings: 22, Instructions: 1745COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                          • Part of subcall function 002A9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002B69F0,-00000010,?,002BAA9D,*.*), ref: 002A93B7
                                        • SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 003B7F67
                                        • SetEvent.KERNEL32(?), ref: 003B7FC5
                                          • Part of subcall function 003C2AB0: DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,E48E37CD), ref: 003C2ADB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EventInit_thread_footer$DeleteFileFindHeapProcessResource
                                        • String ID: WL$%hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\$T`T$T`T$T`T$T`T$T`T$T`T$h[L$hM$lMhM$>L
                                        • API String ID: 4144826820-3802258558
                                        • Opcode ID: 941135b35a92a514000031e7fe3bf4266b349bb1db16d2900626dd1ecc16fb2e
                                        • Instruction ID: 1b8a245208c6ca47c9e394b0ad25407c50174c2f11dc0a1682c7b2a5950fdd4b
                                        • Opcode Fuzzy Hash: 941135b35a92a514000031e7fe3bf4266b349bb1db16d2900626dd1ecc16fb2e
                                        • Instruction Fuzzy Hash: 4EE2C17090060ADFDB01DFA8C849BEEF7B9EF45318F158269E515EB292EB349D04CB91
                                        Function 003DB350 Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 551COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 780 3db350-3db37d 781 3db37f-3db392 780->781 782 3db395-3db39e call 2a9e50 780->782 785 3db56a-3db5b9 call 2a9b10 call 2a9e50 782->785 786 3db3a4-3db3e2 call 2a8e30 782->786 794 3db5bf-3db5d6 785->794 795 3db769-3db76e call 2a9b10 785->795 796 3db3e4 786->796 797 3db3e7-3db402 786->797 804 3db5e0-3db5f3 794->804 801 3db773-3db78a call 2a9b10 795->801 796->797 802 3db408-3db414 797->802 803 3db525 797->803 814 3db965-3db96a 801->814 815 3db790-3db799 801->815 802->803 819 3db41a-3db426 802->819 806 3db527-3db530 803->806 807 3db5f5-3db5ff call 2a98a0 804->807 808 3db602-3db606 804->808 811 3db535-3db54a 806->811 812 3db532 806->812 807->808 818 3db60e-3db613 808->818 816 3db54c-3db54f 811->816 817 3db554-3db567 811->817 812->811 821 3db79b-3db7e2 call 3a0f40 SetWindowTextW call 3059b0 GetDlgItem SendMessageW 815->821 822 3db802-3db807 815->822 816->817 824 3db619-3db61b 818->824 825 3db731 818->825 826 3db428 819->826 827 3db42b-3db441 819->827 851 3db7e6-3db7ff 821->851 822->814 828 3db80d-3db81a 822->828 824->825 830 3db621-3db634 call 43f76b 824->830 831 3db733-3db74b 825->831 826->827 847 3db44a-3db46b 827->847 848 3db443-3db445 827->848 832 3db81c-3db84f GetDlgItem * 2 SendMessageW 828->832 833 3db877-3db87f 828->833 830->801 852 3db63a-3db640 830->852 838 3db74d-3db750 831->838 839 3db755-3db768 831->839 840 3db855-3db859 832->840 841 3db851-3db853 832->841 834 3db8a4-3db8ac 833->834 835 3db881-3db8a1 EndDialog 833->835 834->814 843 3db8b2-3db8c5 GetDlgItem 834->843 838->839 846 3db85a-3db872 SendMessageW 840->846 841->846 849 3db93c-3db93f call 2a9710 843->849 850 3db8c7-3db8d3 843->850 846->851 859 3db46d-3db46f 847->859 860 3db474-3db4a2 call 3b2440 847->860 853 3db515-3db51e 848->853 863 3db944-3db962 EndDialog 849->863 866 3db96d-3db98d call 2a9b10 call 3db9a0 850->866 867 3db8d9-3db8eb 850->867 852->801 856 3db646-3db659 call 2a9e50 852->856 853->806 857 3db520-3db523 853->857 856->795 874 3db65f-3db687 856->874 857->806 859->853 882 3db4b5-3db4ef call 2a9e50 call 2aebe0 call 2bb330 860->882 883 3db4a4-3db4b3 call 436a15 860->883 894 3db98f-3db997 call 436168 866->894 895 3db99a-3db99d 866->895 871 3db8ed-3db8f6 call 2a98a0 867->871 872 3db8f9-3db907 867->872 871->872 884 3db909-3db90e 872->884 885 3db922-3db924 872->885 887 3db689-3db693 call 2a98a0 874->887 888 3db696-3db6b7 call 43f76b 874->888 915 3db4f9-3db506 call 436a15 882->915 916 3db4f1-3db4f4 882->916 907 3db508-3db50e 883->907 892 3db914-3db920 call 43f76b 884->892 893 3db910-3db912 884->893 885->866 889 3db926-3db92c 885->889 887->888 888->801 911 3db6bd-3db6c0 888->911 889->866 899 3db92e-3db93a 889->899 892->885 893->889 894->895 899->863 907->853 911->801 914 3db6c6-3db6dc call 2ae780 911->914 921 3db6de-3db6ef 914->921 922 3db702-3db707 914->922 915->907 916->915 923 3db6f9-3db6fd 921->923 924 3db6f1-3db6f4 921->924 925 3db709-3db70d call 2bb330 922->925 926 3db712-3db723 922->926 923->804 924->923 925->926 927 3db72d-3db72f 926->927 928 3db725-3db728 926->928 927->831 928->927
                                        Strings
                                        • PackageCode, xrefs: 003DB69B
                                        • SELECT `Value` FROM `Property` WHERE `Property` = '%s', xrefs: 003DB3BE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PackageCode$SELECT `Value` FROM `Property` WHERE `Property` = '%s'
                                        • API String ID: 0-2409377028
                                        • Opcode ID: e59404d4c22754609c40f48547e7ce7e7ad954f2f54edfb489d802dc5b370069
                                        • Instruction ID: 20145a162bd9bacdb0f17aa3f085fb9f65212a1a6c6886f1c80ce1bd623756c0
                                        • Opcode Fuzzy Hash: e59404d4c22754609c40f48547e7ce7e7ad954f2f54edfb489d802dc5b370069
                                        • Instruction Fuzzy Hash: 3B121072A00205DFDB11DF68EC49BAEBBB8EF45314F12412AF915AB391DB759904CFA0
                                        Function 002BA950 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 877fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindClose.KERNEL32(00000000), ref: 002BAA5F
                                        • PathIsUNCW.SHLWAPI(00000001,*.*), ref: 002BAAC3
                                        • FindFirstFileW.KERNEL32(00000001,?,*.*), ref: 002BAD0C
                                        • GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 002BAD26
                                        • GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 002BAD5A
                                        • FindClose.KERNEL32(00000000), ref: 002BADCB
                                        • SetLastError.KERNEL32(0000007B), ref: 002BADD5
                                        • PathIsUNCW.SHLWAPI(?,?,E48E37CD,?,00000000), ref: 002BB00E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Path$Find$CloseFullName$ErrorFileFirstLast
                                        • String ID: *.*$\\?\$\\?\UNC\
                                        • API String ID: 2310598285-1700010636
                                        • Opcode ID: 5be5e4ed95cf890dbbc5723a5b11dc34d26d07c8dc91de2961cb5f82d4f2b336
                                        • Instruction ID: ade5b97af82254a523537e3a12c7a5f27fc78e014e31c2ffe4ff9cd4e0f5b1f5
                                        • Opcode Fuzzy Hash: 5be5e4ed95cf890dbbc5723a5b11dc34d26d07c8dc91de2961cb5f82d4f2b336
                                        • Instruction Fuzzy Hash: AD622231A106069FDB14DF68C888BAEB7B5FF44350F148669E815DB3A1EB70ED60CB90
                                        Function 003CEAB0 Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1327 3ceab0-3ceb0d GetCurrentProcess OpenProcessToken 1329 3ceb1c-3ceb3d GetTokenInformation 1327->1329 1330 3ceb0f-3ceb17 GetLastError 1327->1330 1332 3ceb3f-3ceb48 GetLastError 1329->1332 1333 3ceb6b-3ceb6f 1329->1333 1331 3cebda-3cebed 1330->1331 1334 3cebfd-3cec19 call 43615a 1331->1334 1335 3cebef-3cebf6 CloseHandle 1331->1335 1336 3cebbe GetLastError 1332->1336 1337 3ceb4a-3ceb69 call 3c2c10 GetTokenInformation 1332->1337 1333->1336 1338 3ceb71-3ceba0 AllocateAndInitializeSid 1333->1338 1335->1334 1339 3cebc4 1336->1339 1337->1333 1337->1336 1338->1339 1342 3ceba2-3cebbc EqualSid FreeSid 1338->1342 1343 3cebc6-3cebd3 call 436a15 1339->1343 1342->1343 1343->1331
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 003CEAF8
                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 003CEB05
                                        • GetLastError.KERNEL32 ref: 003CEB0F
                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 003CEB39
                                        • GetLastError.KERNEL32 ref: 003CEB3F
                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 003CEB65
                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003CEB98
                                        • EqualSid.ADVAPI32(00000000,?), ref: 003CEBA7
                                        • FreeSid.ADVAPI32(?), ref: 003CEBB6
                                        • CloseHandle.KERNEL32(00000000), ref: 003CEBF0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
                                        • String ID:
                                        • API String ID: 695978879-0
                                        • Opcode ID: 26f04890822572305ee85e5250293df1297363cbd507c21563af3b98b000abb8
                                        • Instruction ID: 6643928f9331394e09c0f039f39398317f882beea63365999d6fa03262cc769e
                                        • Opcode Fuzzy Hash: 26f04890822572305ee85e5250293df1297363cbd507c21563af3b98b000abb8
                                        • Instruction Fuzzy Hash: FC414A75900219ABDF119FA0CC49FEEBBB8FF19318F104129E411B2290DB799E08DF64
                                        Function 003C14D0 Relevance: 15.7, APIs: 10, Instructions: 749COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$HeapProcess
                                        • String ID:
                                        • API String ID: 275895251-0
                                        • Opcode ID: dcc224252ca2f52ddf76385dd0a46c3ffd0bfd486760358e0547573639ee9f06
                                        • Instruction ID: c7de9d142a1710dadbd09553054987f2a26fc2ffcadcb5c4b4493507f98eef93
                                        • Opcode Fuzzy Hash: dcc224252ca2f52ddf76385dd0a46c3ffd0bfd486760358e0547573639ee9f06
                                        • Instruction Fuzzy Hash: 6162AE30900649CFDB12DFA8C884B9EBBF5BF46314F1582ADE415EB292DB70AE45DB50
                                        Function 003C4050 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1554 3c4050-3c4096 call 2a9e50 1557 3c409c-3c40e6 GetLocaleInfoW call 385030 1554->1557 1558 3c414b-3c4185 call 2a9b10 MsgWaitForMultipleObjectsEx 1554->1558 1569 3c40e8-3c40f3 call 2a97c0 1557->1569 1570 3c40f6-3c412d GetLocaleInfoW call 2a8e30 1557->1570 1562 3c4187-3c4199 1558->1562 1563 3c41f1-3c41fa 1558->1563 1565 3c41a0-3c41a3 1562->1565 1567 3c41fb-3c4204 1565->1567 1568 3c41a5-3c41cb PeekMessageW 1565->1568 1571 3c41cd-3c41d9 TranslateMessage DispatchMessageW 1568->1571 1572 3c41db-3c41ef MsgWaitForMultipleObjectsEx 1568->1572 1569->1570 1577 3c412f-3c4132 1570->1577 1578 3c4137-3c414a 1570->1578 1571->1572 1572->1563 1572->1565 1577->1578
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • GetLocaleInfoW.KERNEL32(?,00000002,004C337C,00000000), ref: 003C40C1
                                        • GetLocaleInfoW.KERNEL32(?,00000002,003C3B85,-00000001,00000078,-00000001), ref: 003C40FD
                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 003C4181
                                        • PeekMessageW.USER32(?,00000000), ref: 003C41C7
                                        • TranslateMessage.USER32(00000000), ref: 003C41D2
                                        • DispatchMessageW.USER32(00000000), ref: 003C41D9
                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 003C41EB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Message$InfoInit_thread_footerLocaleMultipleObjectsWait$DispatchHeapPeekProcessTranslate
                                        • String ID: %d-%s
                                        • API String ID: 445213441-1781338863
                                        • Opcode ID: 6fe3be321cf6e7a69f23c55d9cd58ee2c9baefd77d547ec98f4d90f2362ae4eb
                                        • Instruction ID: 9239e2c6252ae8cdccf1514f1d2f1e32b50807c4f0f3d599bd8b7f1fe6602dd8
                                        • Opcode Fuzzy Hash: 6fe3be321cf6e7a69f23c55d9cd58ee2c9baefd77d547ec98f4d90f2362ae4eb
                                        • Instruction Fuzzy Hash: 99510171A40305ABEB10DF98CC45FAEBBB8EF49724F10462AF614E72C1DB719945CBA0
                                        Function 003A2350 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 85libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1707 3a2350-3a23a9 LoadLibraryW 1708 3a23ab-3a23b9 GetProcAddress 1707->1708 1709 3a23d4-3a2419 1707->1709 1708->1709 1710 3a23bb-3a23c8 1708->1710 1715 3a241c-3a242c 1709->1715 1712 3a23cb-3a23cd 1710->1712 1712->1709 1713 3a23cf-3a23d2 1712->1713 1713->1715 1717 3a242e-3a2435 FreeLibrary 1715->1717 1718 3a243c-3a244f 1715->1718 1717->1718
                                        APIs
                                        • LoadLibraryW.KERNEL32(ComCtl32.dll,E48E37CD,00000000,?,00000000), ref: 003A238E
                                        • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 003A23B1
                                        • FreeLibrary.KERNEL32(00000000), ref: 003A242F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: ,(M$=-C$ComCtl32.dll$LoadIconMetric
                                        • API String ID: 145871493-272048232
                                        • Opcode ID: 17edd0bee53898bbc283a295756d47707ca7c01134e9ffe729bf0111f1531e74
                                        • Instruction ID: e771bd8318fe5a29a173bd1d5f0eee7a00a26f52f0c4d24f1bee9e32736d4c44
                                        • Opcode Fuzzy Hash: 17edd0bee53898bbc283a295756d47707ca7c01134e9ffe729bf0111f1531e74
                                        • Instruction Fuzzy Hash: 1831C571900218ABDF158F99CC44BAFBFF8EB09750F11422AF915A7280C7B88D04CB90
                                        Function 003DA240 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1759 3da240-3da2d2 GetUserNameW 1760 3da31e-3da35c GetEnvironmentVariableW 1759->1760 1761 3da2d4-3da2dd GetLastError 1759->1761 1762 3da35e-3da363 1760->1762 1763 3da3a2-3da3ac 1760->1763 1761->1760 1764 3da2df-3da2e7 1761->1764 1765 3da37b-3da385 call 2d3200 1762->1765 1766 3da365-3da379 1762->1766 1767 3da3ae-3da3b5 1763->1767 1768 3da3b7-3da3bd 1763->1768 1769 3da2ff-3da307 call 2d3200 1764->1769 1770 3da2e9-3da2fd 1764->1770 1771 3da38a-3da39c GetEnvironmentVariableW 1765->1771 1766->1771 1773 3da3c0-3da3db 1767->1773 1768->1773 1774 3da30c-3da31c GetUserNameW 1769->1774 1770->1774 1771->1763 1776 3da3dd-3da3e5 call 2a7070 1773->1776 1777 3da3ea-3da449 call 2a6e80 * 2 call 2a77d0 * 2 call 43615a 1773->1777 1774->1760 1776->1777
                                        APIs
                                        • GetUserNameW.ADVAPI32(00000000,?), ref: 003DA2CE
                                        • GetLastError.KERNEL32 ref: 003DA2D4
                                        • GetUserNameW.ADVAPI32(00000000,?), ref: 003DA31C
                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 003DA352
                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 003DA39C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EnvironmentNameUserVariable$ErrorLast
                                        • String ID: UserDomain
                                        • API String ID: 3567734997-2275544873
                                        • Opcode ID: 824a3313255c28266955b90e74593c420c8c1b93e82eda1f16bc595d4808d05b
                                        • Instruction ID: 4d0dc208c9b0377cb076cef4d0648485325fa018d038c8c1f40e8cd220bf427c
                                        • Opcode Fuzzy Hash: 824a3313255c28266955b90e74593c420c8c1b93e82eda1f16bc595d4808d05b
                                        • Instruction Fuzzy Hash: 74611571A10209DFDF14DFA8C955BEEBBB5FF08304F24412EE401A7280DB75AA49CBA5
                                        Function 00361FB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00361FF1
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • _wcschr.LIBVCRUNTIME ref: 003620AF
                                          • Part of subcall function 002A9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002B69F0,-00000010,?,002BAA9D,*.*), ref: 002A93B7
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 003620C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem_wcschr
                                        • String ID: Kernel32.dll
                                        • API String ID: 1122257418-1926710522
                                        • Opcode ID: ec548d10ec0ca4040655dae79e8ddc99b9715e2a2d365e3404716bda9a6179ea
                                        • Instruction ID: ff97e46a133d5d903c56074839b587db7680f89ef3a391339edf4ac7cc5fd2d6
                                        • Opcode Fuzzy Hash: ec548d10ec0ca4040655dae79e8ddc99b9715e2a2d365e3404716bda9a6179ea
                                        • Instruction Fuzzy Hash: E4A17AB0500A45EFE714CF64C818B9ABBF4FF04318F21865DE8199B781D7BAA618CF90
                                        Function 003CC990 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003CCA6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: DiskFreeSpace
                                        • String ID: \$\$\
                                        • API String ID: 1705453755-3791832595
                                        • Opcode ID: 862b03ffaac8b93e423beee9eaefd385bd1e512b08707cd6064914fde282921f
                                        • Instruction ID: e4ba898e5e627aca03687ae40b76e29acc269dbbe17fea1a993961dfb762c93c
                                        • Opcode Fuzzy Hash: 862b03ffaac8b93e423beee9eaefd385bd1e512b08707cd6064914fde282921f
                                        • Instruction Fuzzy Hash: 0E41E2369242598ACB31DF248449FABB3E4FF98354F166A2EE8CDD3140E7709C858786
                                        Function 00435D0D Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000008,?,002B0DC7,?,?,002B0B74,?), ref: 00435D12
                                        • HeapAlloc.KERNEL32(00000000,?,?,002B0B74,?), ref: 00435D19
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,002B0B74,?), ref: 00435D5F
                                        • HeapFree.KERNEL32(00000000,?,?,002B0B74,?), ref: 00435D66
                                          • Part of subcall function 00435BAB: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00435D55,00000000,?,?,002B0B74,?), ref: 00435BCF
                                          • Part of subcall function 00435BAB: HeapAlloc.KERNEL32(00000000,?,?,002B0B74,?), ref: 00435BD6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Alloc$Free
                                        • String ID:
                                        • API String ID: 1864747095-0
                                        • Opcode ID: d70353475e97cbee9786dc8f7126c3896f671305edd0f1b4edd8b5105cd3d2f5
                                        • Instruction ID: b9167b618dbebd781c97ae4aa0be5ccffa62cb3715c13f970078580f241382e1
                                        • Opcode Fuzzy Hash: d70353475e97cbee9786dc8f7126c3896f671305edd0f1b4edd8b5105cd3d2f5
                                        • Instruction Fuzzy Hash: 00F0B432644F1257DB253FB8BC0CA5B2A6DAF887A1B02952EF106C6254DE24C8018B69
                                        Function 003A43B0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 003A444F
                                        • FindClose.KERNEL32(00000000), ref: 003A44AE
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Find$AllocateCloseFileFirstHeap
                                        • String ID:
                                        • API String ID: 1673784098-0
                                        • Opcode ID: 6afbdae409ba650d583df28331725000677220f1949f7c97e39001944862f509
                                        • Instruction ID: 61c80d62f4d925e64d6b93bea0237efa01f8d15cc0494d5306dd2cb23528215c
                                        • Opcode Fuzzy Hash: 6afbdae409ba650d583df28331725000677220f1949f7c97e39001944862f509
                                        • Instruction Fuzzy Hash: FA310134904218DBCB29DF56CC49BAAB7F8FB89314F20866EE91997780D7B15D44CF90
                                        Function 003C2380 Relevance: 3.4, APIs: 2, Instructions: 374COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$HeapProcess
                                        • String ID:
                                        • API String ID: 275895251-0
                                        • Opcode ID: df3c1975f4f9396fd96e3fa240acf8a43fdc75c644b6f6eea26a08b182f7ccee
                                        • Instruction ID: ead4f4914fdbad1864a70825c5062c511dac662f053da2fc645617b1fa2d96f5
                                        • Opcode Fuzzy Hash: df3c1975f4f9396fd96e3fa240acf8a43fdc75c644b6f6eea26a08b182f7ccee
                                        • Instruction Fuzzy Hash: 2FE16B30A006499FDB15DFA8CC84BAEB7B4FF45324F15826DE815EB292EB74AD05CB50
                                        Function 003A3DE0 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fab0a0a03774e3f339443e652e74dd578a51b63ecf758d90c12524eb5377d2ef
                                        • Instruction ID: b03019cbbc9fc111db566e77c5b53fc4fcaa6774413e1ea3873e65e49370e0a8
                                        • Opcode Fuzzy Hash: fab0a0a03774e3f339443e652e74dd578a51b63ecf758d90c12524eb5377d2ef
                                        • Instruction Fuzzy Hash: 25416A319116499FDB25DF68C955BEAB3B4FF11320F158229F8259B2D1EB709A04CB50
                                        Function 003DBB20 Relevance: 3.1, APIs: 2, Instructions: 85filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,E48E37CD,E48E37CD,?,?,?,00000000,004A6015), ref: 003DBBA8
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,E48E37CD,E48E37CD,?,?,?,00000000,004A6015,000000FF), ref: 003DBBCA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Create$FileNamedPipe
                                        • String ID:
                                        • API String ID: 1328467360-0
                                        • Opcode ID: cd99dbc46657440778918d31a3dd02d0cc28bd3cfdd292c9853a7996aa537c2d
                                        • Instruction ID: 2347618cd2958c3bee1a3582f1938623d9adc4c537c198fc3d4801e8f16736de
                                        • Opcode Fuzzy Hash: cd99dbc46657440778918d31a3dd02d0cc28bd3cfdd292c9853a7996aa537c2d
                                        • Instruction Fuzzy Hash: 1331D232684745AFD721CF14DC01B96FBA4EB05720F10866FF9A5AB7D0DB71A900CB54
                                        Function 002D21E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        • __set_se_translator.LIBVCRUNTIME ref: 002D21F8
                                        • SetUnhandledExceptionFilter.KERNEL32(003A0760), ref: 002D220E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled__set_se_translator
                                        • String ID:
                                        • API String ID: 2480343447-0
                                        • Opcode ID: 79645cdaea69249484209b51883589b9bb785e2cda25f8a8b64a949d6e9b2db7
                                        • Instruction ID: ff3de18d4411090d646aa115f89d8353ddddaad96d37660085ef024d308c2fef
                                        • Opcode Fuzzy Hash: 79645cdaea69249484209b51883589b9bb785e2cda25f8a8b64a949d6e9b2db7
                                        • Instruction Fuzzy Hash: 9BE0267A9002006AC7125755AC0AF8A3F64EBA7715F05501EF60813152C774680CC762
                                        Function 003E6D50 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003A2890: __Init_thread_footer.LIBCMT ref: 003A2970
                                        • CoCreateInstance.COMBASE(004C31D8,00000000,00000001,004DF490,000000B0), ref: 003E6DCE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CreateInit_thread_footerInstance
                                        • String ID:
                                        • API String ID: 3436645735-0
                                        • Opcode ID: c67f2992a774d842a08631dbc19f24f6b7d0da08d9f805ab0f63db6503fdb322
                                        • Instruction ID: 3b8e63ea2f48a8274186c21c8dd03544fc348a8cc3036b47c0d574a20114c740
                                        • Opcode Fuzzy Hash: c67f2992a774d842a08631dbc19f24f6b7d0da08d9f805ab0f63db6503fdb322
                                        • Instruction Fuzzy Hash: 37118B75604745EBD720CF59DC05B8BBBF8EB46B14F10465EE8159B7C0C7BAA508CB90
                                        Function 003E15E0 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$CreateHeapInstanceProcess
                                        • String ID:
                                        • API String ID: 3807588171-0
                                        • Opcode ID: 5e684dd511809c0392f507b20edb85bc5ec7ff24135a18fd48c09132cd920003
                                        • Instruction ID: 56bfe3b77115ffa9492b4a8e955ea16508900fdcbfe9b129e81128291bcb851e
                                        • Opcode Fuzzy Hash: 5e684dd511809c0392f507b20edb85bc5ec7ff24135a18fd48c09132cd920003
                                        • Instruction Fuzzy Hash: E76167B1500744CFE760CF65C55838ABBE0FF05308F148A5ED48A9B782DBB9AA49CF90
                                        Function 003A2BA0 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247registrylibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 003A2C0E
                                        • RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 003A2C55
                                        • RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 003A2C74
                                        • RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 003A2CA3
                                        • RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 003A2D18
                                        • RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 003A2D81
                                        • RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 003A2DE4
                                        • RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 003A2E36
                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 003A2ED3
                                        • GetProcAddress.KERNEL32(00000000), ref: 003A2EDA
                                        • __Init_thread_footer.LIBCMT ref: 003A2EEE
                                        • GetCurrentProcess.KERNEL32(?), ref: 003A2F11
                                        • IsWow64Process.KERNEL32(00000000), ref: 003A2F18
                                        • RegCloseKey.ADVAPI32(00000000), ref: 003A2F52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
                                        • String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
                                        • API String ID: 1906320730-525127412
                                        • Opcode ID: be09604c9ff602dcd39cba4a5ffaf1b6571c757462e7ebb9349b6f55f3ac46e3
                                        • Instruction ID: dcd5da143786ef7d668e07f37a75fe8cfc54fc3e4c0c95f275e2b50d87edb4c3
                                        • Opcode Fuzzy Hash: be09604c9ff602dcd39cba4a5ffaf1b6571c757462e7ebb9349b6f55f3ac46e3
                                        • Instruction Fuzzy Hash: A8A19175900328DEDB21DF24CC45BDAB7F8FB16705F1181AAE448E6290EB749E88CF95
                                        Function 003C4960 Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 220COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 51 3c4960-3c499f 52 3c49e4-3c49ef 51->52 53 3c49a1-3c49b5 call 436662 51->53 55 3c4a34-3c4a5c call 3a2b00 52->55 56 3c49f1-3c4a05 call 436662 52->56 53->52 61 3c49b7-3c49e1 call 3c4e60 call 43651a call 436618 53->61 65 3c4b01-3c4b03 55->65 66 3c4a62-3c4a69 55->66 56->55 63 3c4a07-3c4a31 call 3c5750 call 43651a call 436618 56->63 61->52 63->55 68 3c4b08-3c4b0e 65->68 70 3c4a70-3c4a76 66->70 72 3c4b2e-3c4b30 68->72 73 3c4b10-3c4b13 68->73 75 3c4a78-3c4a7b 70->75 76 3c4a96-3c4a98 70->76 81 3c4b33-3c4b35 72->81 79 3c4b2a-3c4b2c 73->79 80 3c4b15-3c4b1d 73->80 83 3c4a7d-3c4a85 75->83 84 3c4a92-3c4a94 75->84 77 3c4a9b-3c4a9d 76->77 86 3c4c03 77->86 87 3c4aa3-3c4aaa call 2a9e50 77->87 79->81 80->72 89 3c4b1f-3c4b28 80->89 81->86 90 3c4b3b-3c4b44 call 2a9e50 81->90 83->76 85 3c4a87-3c4a90 83->85 84->77 85->70 85->84 94 3c4c05-3c4c27 call 38c9e0 86->94 101 3c4c28-3c4c2d call 2a9b10 87->101 102 3c4ab0-3c4ace 87->102 89->68 89->79 90->101 104 3c4b4a-3c4b66 90->104 107 3c4c32-3c4c3f call 2b2970 101->107 112 3c4adb-3c4ae2 call 2a99c0 102->112 113 3c4ad0-3c4ad9 call 2a9390 102->113 110 3c4b68-3c4b71 call 2a9390 104->110 111 3c4b73-3c4b7a call 2a99c0 104->111 120 3c4b7f-3c4b91 call 3a1c00 110->120 111->120 122 3c4ae7-3c4afc call 3a1c00 112->122 113->122 127 3c4b94-3c4ba9 120->127 122->127 128 3c4bab-3c4bae 127->128 129 3c4bb3-3c4bbc 127->129 128->129 130 3c4bbe 129->130 131 3c4bff-3c4c01 129->131 132 3c4bc0-3c4bc2 130->132 131->94 132->107 133 3c4bc4-3c4bc6 132->133 133->107 134 3c4bc8-3c4bda call 2ae780 133->134 134->86 137 3c4bdc-3c4bdf 134->137 137->107 138 3c4be1-3c4bf3 call 2ae780 137->138 138->86 141 3c4bf5-3c4bf8 138->141 141->131 142 3c4bfa-3c4bfd 141->142 142->132
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 003C49DC
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                          • Part of subcall function 002B2970: RaiseException.KERNEL32(?,?,00000000,00000000,00435A3C,C000008C,00000001,?,00435A6D,00000000,?,002A91C7,00000000,E48E37CD,00000001,?), ref: 002B297C
                                        • __Init_thread_footer.LIBCMT ref: 003C4A2C
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$AllocateConditionExceptionHeapRaiseVariableWake
                                        • String ID: YT$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86$Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64$WindowsFolder$WindowsVolume$XiT$`iT$hiT$shfolder.dll
                                        • API String ID: 2519272855-361132733
                                        • Opcode ID: 6a07aed4a837f82e3ec1d5485d8756a675893be16ff50d8ff0cf70152254165e
                                        • Instruction ID: ec960e1fd6eb505799ccf5f4b7fd5dbead8a612e3f7a1996584ac5541805ba23
                                        • Opcode Fuzzy Hash: 6a07aed4a837f82e3ec1d5485d8756a675893be16ff50d8ff0cf70152254165e
                                        • Instruction Fuzzy Hash: 247144719002069BDB11EBA8C866FBEB3B0AF21314F12856DE466DB291EB75DD04CB52
                                        Function 003A2F80 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 695 3a2f80-3a2ff8 RegOpenKeyExW 697 3a2ffe-3a302f RegQueryValueExW 695->697 698 3a3262-3a327b 695->698 701 3a307f-3a30aa RegQueryValueExW 697->701 702 3a3031-3a3043 call 3a9180 697->702 699 3a328e-3a32a9 call 43615a 698->699 700 3a327d-3a3284 RegCloseKey 698->700 700->699 701->698 703 3a30b0-3a30c1 701->703 711 3a3054-3a306b call 3a9180 702->711 712 3a3045-3a3052 702->712 706 3a30cd-3a30cf 703->706 707 3a30c3-3a30cb 703->707 706->698 710 3a30d5-3a30dc 706->710 707->706 707->707 713 3a30e0-3a30ee call 3a9180 710->713 718 3a306d 711->718 719 3a3072-3a3078 711->719 714 3a307a 712->714 721 3a30f9-3a3107 call 3a9180 713->721 722 3a30f0-3a30f4 713->722 714->701 718->719 719->714 729 3a3109-3a310d 721->729 730 3a3112-3a3120 call 3a9180 721->730 723 3a3234 722->723 725 3a323b-3a3248 723->725 727 3a325a-3a325c 725->727 728 3a324a 725->728 727->698 727->713 732 3a3250-3a3258 728->732 729->723 734 3a312b-3a3139 call 3a9180 730->734 735 3a3122-3a3126 730->735 732->727 732->732 738 3a313b-3a313f 734->738 739 3a3144-3a3152 call 3a9180 734->739 735->723 738->723 742 3a315d-3a316b call 3a9180 739->742 743 3a3154-3a3158 739->743 746 3a316d-3a3171 742->746 747 3a3176-3a3184 call 3a9180 742->747 743->723 746->723 750 3a318f-3a319d call 3a9180 747->750 751 3a3186-3a318a 747->751 754 3a31a9-3a31b7 call 3a9180 750->754 755 3a319f-3a31a4 750->755 751->723 759 3a31b9-3a31be 754->759 760 3a31c0-3a31ce call 3a9180 754->760 756 3a3231 755->756 756->723 759->756 763 3a31d0-3a31d5 760->763 764 3a31d7-3a31e5 call 3a9180 760->764 763->756 767 3a31ee-3a31fc call 3a9180 764->767 768 3a31e7-3a31ec 764->768 771 3a31fe-3a3203 767->771 772 3a3205-3a3213 call 3a9180 767->772 768->756 771->756 775 3a321c-3a322a call 3a9180 772->775 776 3a3215-3a321a 772->776 775->725 779 3a322c 775->779 776->756 779->756
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 003A2FF0
                                        • RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 003A302B
                                        • RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 003A30A6
                                        • RegCloseKey.KERNEL32(00000000), ref: 003A327E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: QueryValue$CloseOpen
                                        • String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
                                        • API String ID: 1586453840-3149529848
                                        • Opcode ID: 0cde222daf51590a500e7b992e6c7668d7203057d835759ffb13f715c9d9fa95
                                        • Instruction ID: 47b6b87bf06f6db0f60f89adab00596113b5e1c82f0be77e2a97ce80ec9b1d8f
                                        • Opcode Fuzzy Hash: 0cde222daf51590a500e7b992e6c7668d7203057d835759ffb13f715c9d9fa95
                                        • Instruction Fuzzy Hash: 4D71D6347003499BDB229B24CC557EA7269EB53344F1184BBF906AB781EB3CCE49DB46
                                        Function 003B64D0 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 495COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1178 3b64d0-3b650c call 2a9e50 1181 3b664f-3b670e call 2a9b10 call 3b64d0 call 3da240 1178->1181 1182 3b6512-3b654a call 3cce80 1178->1182 1197 3b6710-3b6719 1181->1197 1190 3b654c-3b654f 1182->1190 1191 3b6554-3b6583 GetTickCount call 435347 call 436dd0 call 2a9e50 1182->1191 1190->1191 1191->1181 1207 3b6589-3b6610 call 45cce0 call 2a8e30 call 3cce80 call 3ccfc0 call 2a9650 1191->1207 1197->1197 1199 3b671b-3b6740 call 2a7070 1197->1199 1205 3b67a9-3b67c6 call 2a6540 1199->1205 1206 3b6742-3b6756 call 436662 1199->1206 1213 3b67c8-3b67cf 1205->1213 1214 3b67d1-3b67d3 1205->1214 1206->1205 1215 3b6758-3b67a6 call 2a7070 call 43651a call 436618 1206->1215 1256 3b661a-3b662f 1207->1256 1257 3b6612-3b6615 1207->1257 1218 3b67d6-3b67e4 1213->1218 1214->1218 1215->1205 1222 3b67e6-3b67eb 1218->1222 1223 3b6865-3b68af call 436199 1218->1223 1227 3b67f0-3b680e 1222->1227 1236 3b68b3-3b68bc 1223->1236 1231 3b6810-3b6816 1227->1231 1232 3b6854-3b685d 1227->1232 1237 3b683a-3b683c 1231->1237 1238 3b6818-3b681e 1231->1238 1232->1227 1235 3b685f 1232->1235 1235->1223 1236->1236 1243 3b68be-3b6908 call 2a7070 1236->1243 1240 3b684f 1237->1240 1241 3b683e-3b6845 1237->1241 1244 3b6832 1238->1244 1245 3b6820-3b6823 1238->1245 1240->1232 1241->1240 1248 3b6847-3b684c 1241->1248 1253 3b6910-3b6919 1243->1253 1247 3b6834 1244->1247 1246 3b6825-3b6830 1245->1246 1245->1247 1246->1244 1246->1245 1247->1237 1248->1240 1253->1253 1255 3b691b-3b69ea call 2a7070 call 2a6540 * 4 call 2a77d0 * 2 1253->1255 1274 3b6a48-3b6a57 1255->1274 1275 3b69ec-3b6a00 1255->1275 1259 3b6639-3b664c 1256->1259 1260 3b6631-3b6634 1256->1260 1257->1256 1260->1259 1278 3b6a99-3b6ad6 call 2a77d0 * 3 1274->1278 1279 3b6a59-3b6a96 call 2a77d0 * 4 call 436168 1274->1279 1276 3b6a42 1275->1276 1277 3b6a02-3b6a3f call 2a77d0 * 4 call 436168 1275->1277 1276->1274 1277->1276 1298 3b6ad8-3b6ada 1278->1298 1299 3b6adf-3b6b1e GetCurrentProcess OpenProcessToken 1278->1299 1279->1278 1302 3b6b93-3b6bb1 1298->1302 1310 3b6b5f 1299->1310 1311 3b6b20-3b6b4a GetTokenInformation 1299->1311 1307 3b6bbb-3b6bd6 call 43615a 1302->1307 1308 3b6bb3-3b6bb6 1302->1308 1308->1307 1316 3b6b64-3b6b80 1310->1316 1311->1310 1315 3b6b4c-3b6b5d 1311->1315 1315->1316 1316->1302 1318 3b6b82-3b6b89 CloseHandle 1316->1318 1318->1302
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • GetTickCount.KERNEL32 ref: 003B6554
                                        • __Xtime_get_ticks.LIBCPMT ref: 003B655C
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003B65A6
                                        • __Init_thread_footer.LIBCMT ref: 003B67A1
                                        • GetCurrentProcess.KERNEL32 ref: 003B6B06
                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 003B6B16
                                        • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 003B6B42
                                        • CloseHandle.KERNEL32(00000000), ref: 003B6B83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                        • String ID: \/:*?"<>|$tiT$tiT
                                        • API String ID: 3363527671-2398237601
                                        • Opcode ID: 2a7de1454afc864e34751d710422b55bc1f2f7d133c427a0bb3d2e527e560d9f
                                        • Instruction ID: 6e8f355544f75073c08e51df0487c2e6a5499cda9ac6923cd74ced640108ef99
                                        • Opcode Fuzzy Hash: 2a7de1454afc864e34751d710422b55bc1f2f7d133c427a0bb3d2e527e560d9f
                                        • Instruction Fuzzy Hash: 1022BF70900218DFDB10DF68CC56BEEBBB4BF55308F148199E509AB692DBB85E48CF91
                                        Function 003DF7B0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1319 3df7b0-3df7b7 1320 3df7be-3df7d5 LoadLibraryW 1319->1320 1321 3df7b9-3df7bb 1319->1321 1322 3df7ed-3df7ef 1320->1322 1323 3df7d7-3df7e7 1320->1323 1324 3df7f7-3df849 GetProcAddress * 4 1322->1324 1325 3df7f1-3df7f4 1322->1325 1323->1322
                                        APIs
                                        • LoadLibraryW.KERNEL32(?,?,003C181B,?,?,?,?,?), ref: 003DF7C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: ,(M$EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
                                        • API String ID: 1029625771-1726033602
                                        • Opcode ID: 4ebb35e1abc825f1048a5fd2f268c0e181e81ba94b0ef0e4bfd0da827b9030d8
                                        • Instruction ID: 96e21594481e8cec4e4d42fb43e9db477e96aef383d553d2f330605d53b40edb
                                        • Opcode Fuzzy Hash: 4ebb35e1abc825f1048a5fd2f268c0e181e81ba94b0ef0e4bfd0da827b9030d8
                                        • Instruction Fuzzy Hash: 8C015A7AD04611AFCF259F28AC189867FA0BB2535A701853BF91387336D7358819EF90
                                        Function 0038DDA0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 96registrylibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1579 38dda0-38ddd7 1580 38ddd9-38dddc 1579->1580 1581 38de42-38de59 RegCreateKeyExW 1579->1581 1583 38ddde-38ddeb GetModuleHandleW 1580->1583 1584 38de35-38de39 1580->1584 1582 38de5f-38de61 1581->1582 1586 38de63-38de69 1582->1586 1587 38de84-38de95 1582->1587 1588 38dded-38de03 1583->1588 1589 38de06-38de14 GetProcAddress 1583->1589 1584->1581 1585 38de3b-38de40 1584->1585 1585->1582 1590 38de6b-38de72 RegCloseKey 1586->1590 1591 38de74-38de81 1586->1591 1589->1585 1592 38de16-38de33 1589->1592 1590->1591 1591->1587 1592->1582
                                        APIs
                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,E48E37CD,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 0038DDE3
                                        • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0038DE0C
                                        • RegCreateKeyExW.KERNEL32(?,)r+,00000000,00000000,00000000,?,00000000,00000000,?,E48E37CD,?,?,?,00000000,?,Function_001BDD00), ref: 0038DE59
                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 0038DE6C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AddressCloseCreateHandleModuleProc
                                        • String ID: )r+$)r+$Advapi32.dll$RegCreateKeyTransactedW
                                        • API String ID: 1765684683-1687898342
                                        • Opcode ID: afad19b04936717f4a90a49a8fcf28e3bc5fd20cc22c863f35b50df93532720b
                                        • Instruction ID: 8f9a2d35019ffe5bbeafc4be7fcfa1441ba317303277ffaa9f9d447a2471fe4e
                                        • Opcode Fuzzy Hash: afad19b04936717f4a90a49a8fcf28e3bc5fd20cc22c863f35b50df93532720b
                                        • Instruction Fuzzy Hash: 3331B172640309AFEB259F44DC45FABBBA8FB54B50F10416AF905DB2C0E771A804CB94
                                        Function 00435A9F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1594 435a9f-435aaa 1595 435ab9-435ad0 LoadLibraryExA 1594->1595 1596 435aac-435ab8 DecodePointer 1594->1596 1597 435ad2-435ae7 call 435b4f 1595->1597 1598 435b4a 1595->1598 1597->1598 1602 435ae9-435afe call 435b4f 1597->1602 1599 435b4c-435b4e 1598->1599 1602->1598 1605 435b00-435b15 call 435b4f 1602->1605 1605->1598 1608 435b17-435b2c call 435b4f 1605->1608 1608->1598 1611 435b2e-435b48 DecodePointer 1608->1611 1611->1599
                                        APIs
                                        • DecodePointer.KERNEL32(?,?,?,00435DE5,00544C90,?,?,?,003000E6,?,E48E37CD,?,?,?,003481B7), ref: 00435AB1
                                        • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00435DE5,00544C90,?,?,?,003000E6,?,E48E37CD,?,?), ref: 00435AC6
                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,003481B7), ref: 00435B42
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: DecodePointer$LibraryLoad
                                        • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                        • API String ID: 1423960858-1745123996
                                        • Opcode ID: 64c0b32251a3ebf60d4e63b6da2560a1c5c011453450cbec620fce50504fcdd8
                                        • Instruction ID: 2725421b7ac5a6be10570caead4b3e6b0a580b7039691893a46c7e785b691ad3
                                        • Opcode Fuzzy Hash: 64c0b32251a3ebf60d4e63b6da2560a1c5c011453450cbec620fce50504fcdd8
                                        • Instruction Fuzzy Hash: E401DB70642700BBCB21A7109C43FDABB595B1574EF280056FE06773D1DA59ED09C5AD
                                        Function 003C2810 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 224fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1612 3c2810-3c284d 1613 3c284f-3c2859 call 2a97c0 1612->1613 1614 3c285b-3c2867 call 3cc990 1612->1614 1613->1614 1619 3c286d-3c2878 1614->1619 1620 3c2952-3c2954 1614->1620 1621 3c28a8-3c28af 1619->1621 1622 3c287a-3c2892 call 3a44f0 1619->1622 1623 3c2956 1620->1623 1624 3c2973-3c2977 1620->1624 1628 3c2939-3c294f 1621->1628 1629 3c28b5-3c28bc call 2a9e50 1621->1629 1637 3c2894 1622->1637 1638 3c2897-3c28a2 1622->1638 1630 3c295c-3c2969 call 3a4920 1623->1630 1631 3c2958-3c295a 1623->1631 1626 3c297d-3c297f 1624->1626 1627 3c2a8f-3c2aa2 1624->1627 1633 3c2982-3c2989 call 2a9e50 1626->1633 1642 3c2aa5-3c2aaf call 2a9b10 1629->1642 1643 3c28c2-3c28e9 call 2ba950 1629->1643 1636 3c296e-3c2971 1630->1636 1631->1624 1631->1630 1633->1642 1644 3c298f-3c29fc call 2a8e30 CreateFileW call 39f300 1633->1644 1636->1626 1637->1638 1638->1620 1638->1621 1653 3c2909-3c292f call 3d74c0 1643->1653 1654 3c28eb-3c28ed 1643->1654 1664 3c29fe 1644->1664 1665 3c2a1a-3c2a25 1644->1665 1653->1628 1663 3c2931-3c2934 1653->1663 1656 3c28f0-3c28f9 1654->1656 1656->1656 1659 3c28fb-3c2904 call 2ba950 1656->1659 1659->1653 1663->1628 1667 3c2a08-3c2a18 1664->1667 1668 3c2a00-3c2a06 1664->1668 1666 3c2a28-3c2a4f SetFilePointer SetEndOfFile 1665->1666 1669 3c2a5f-3c2a74 1666->1669 1670 3c2a51-3c2a58 CloseHandle 1666->1670 1667->1666 1668->1665 1668->1667 1671 3c2a7e-3c2a89 1669->1671 1672 3c2a76-3c2a79 1669->1672 1670->1669 1671->1627 1671->1633 1672->1671
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 003C29D1
                                        • SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 003C2A30
                                        • SetEndOfFile.KERNEL32(?), ref: 003C2A39
                                        • CloseHandle.KERNEL32(?), ref: 003C2A52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointer
                                        • String ID: %sholder%d.aiph$Not enough disk space to extract file:$T`T
                                        • API String ID: 22866420-1111458124
                                        • Opcode ID: 98c047293673383d47a25abd1594ff0177e5f1616db58325940a5ea84049b76f
                                        • Instruction ID: 40df49cbfbc5c0b5327d7f3b04561f0372e2cda521e6246943fb0440af2ba05c
                                        • Opcode Fuzzy Hash: 98c047293673383d47a25abd1594ff0177e5f1616db58325940a5ea84049b76f
                                        • Instruction Fuzzy Hash: 6081BC75A002099FDB11DF68CC45FAFBBA4EF49320F15862DE925EB291EB319D11CB90
                                        Function 003E0BE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1673 3e0be0-3e0c1f call 3a29d0 1676 3e0c25-3e0c41 SHGetFolderPathW 1673->1676 1677 3e0d93-3e0d9b call 3e0e20 1673->1677 1679 3e0c4d-3e0c5c 1676->1679 1680 3e0c43-3e0c4b 1676->1680 1685 3e0d9f 1677->1685 1682 3e0c5e 1679->1682 1683 3e0c72-3e0c83 call 387f40 1679->1683 1680->1679 1680->1680 1686 3e0c60-3e0c68 1682->1686 1690 3e0ca7-3e0d5e call 438750 GetTempPathW call 438750 GetTempFileNameW call 3e0e20 Wow64DisableWow64FsRedirection CopyFileW 1683->1690 1691 3e0c85 1683->1691 1688 3e0da1-3e0dbb call 43615a 1685->1688 1686->1686 1689 3e0c6a-3e0c6c 1686->1689 1689->1677 1689->1683 1702 3e0d68-3e0d76 1690->1702 1703 3e0d60-3e0d63 call 3e0e20 1690->1703 1693 3e0c90-3e0c9c 1691->1693 1693->1677 1696 3e0ca2-3e0ca5 1693->1696 1696->1690 1696->1693 1702->1685 1705 3e0d78-3e0d88 Wow64RevertWow64FsRedirection 1702->1705 1703->1702 1705->1688 1706 3e0d8a-3e0d91 1705->1706 1706->1688
                                        APIs
                                          • Part of subcall function 003A29D0: __Init_thread_footer.LIBCMT ref: 003A2AA2
                                        • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,E48E37CD,00000000,00000000), ref: 003E0C34
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 003E0CC9
                                        • GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 003E0CFA
                                        • Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 003E0D2D
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 003E0D4F
                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 003E0D7E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Wow64$FilePathRedirectionTemp$CopyDisableFolderInit_thread_footerNameRevert
                                        • String ID: shim_clone
                                        • API String ID: 4264308349-3944563459
                                        • Opcode ID: 15c4637dbb3a0a62cb04309144c6f3231b9e165b7110f98c5495831135990e26
                                        • Instruction ID: 1ddf0c6c89a8eb913c12f92f551aa206737ecebe037d3ed944fde4752fbe65fa
                                        • Opcode Fuzzy Hash: 15c4637dbb3a0a62cb04309144c6f3231b9e165b7110f98c5495831135990e26
                                        • Instruction Fuzzy Hash: 4D514930A402689BDB29DF65CC05BAEB7F9EF94700F1442A9E405A72C1DBB49F84CB90
                                        Function 003DF2F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1719 3df2f0-3df33b call 3c2c10 1722 3df33d-3df342 1719->1722 1723 3df347-3df355 1719->1723 1724 3df4f1-3df51b call 436a15 1722->1724 1725 3df360-3df381 1723->1725 1727 3df38b-3df3a2 SetFilePointer 1725->1727 1728 3df383-3df389 1725->1728 1730 3df3a4-3df3ac GetLastError 1727->1730 1731 3df3b2-3df3c7 ReadFile 1727->1731 1728->1727 1730->1731 1732 3df4ec 1730->1732 1731->1732 1733 3df3cd-3df3d4 1731->1733 1732->1724 1733->1732 1734 3df3da-3df3eb 1733->1734 1734->1725 1735 3df3f1-3df3fd 1734->1735 1736 3df400-3df404 1735->1736 1737 3df406-3df40f 1736->1737 1738 3df411-3df415 1736->1738 1737->1736 1737->1738 1739 3df438-3df43a 1738->1739 1740 3df417-3df41d 1738->1740 1741 3df43d-3df43f 1739->1741 1740->1739 1742 3df41f-3df422 1740->1742 1745 3df454-3df456 1741->1745 1746 3df441-3df444 1741->1746 1743 3df434-3df436 1742->1743 1744 3df424-3df42a 1742->1744 1743->1741 1744->1739 1747 3df42c-3df432 1744->1747 1749 3df458-3df461 1745->1749 1750 3df466-3df48c SetFilePointer 1745->1750 1746->1735 1748 3df446-3df44f 1746->1748 1747->1739 1747->1743 1748->1725 1749->1725 1750->1732 1751 3df48e-3df4a3 ReadFile 1750->1751 1751->1732 1752 3df4a5-3df4a9 1751->1752 1752->1732 1753 3df4ab-3df4b5 1752->1753 1754 3df4cf-3df4d4 1753->1754 1755 3df4b7-3df4bd 1753->1755 1754->1724 1755->1754 1756 3df4bf-3df4c7 1755->1756 1756->1754 1757 3df4c9-3df4cd 1756->1757 1757->1754 1758 3df4d6-3df4ea 1757->1758 1758->1724
                                        APIs
                                        • SetFilePointer.KERNEL32(?,-00000400,?,00000002,00000400,E48E37CD,?,?,?,?,?), ref: 003DF396
                                        • GetLastError.KERNEL32(?,?,?,?), ref: 003DF3A4
                                        • ReadFile.KERNEL32(?,00000000,00000400,000000FF,00000000,?,?,?,?), ref: 003DF3BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$ErrorLastPointerRead
                                        • String ID: ADVINSTSFX
                                        • API String ID: 64821003-4038163286
                                        • Opcode ID: 921ceabcb563a6e1d12e3c81247cc9075bf4e47db09f574a558579c3698c3884
                                        • Instruction ID: e98687b64469fd75a8bf29665770f30c5ca8845ee194506239a492ba585ae0d8
                                        • Opcode Fuzzy Hash: 921ceabcb563a6e1d12e3c81247cc9075bf4e47db09f574a558579c3698c3884
                                        • Instruction Fuzzy Hash: 3561E272A001089FDB12CF69D881BBFBBB9FF45324F658226E506A7381D7349D01CB64
                                        Function 002B27B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                        Download Yara Rule
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,00000024), ref: 002B2850
                                        • GetWindowLongW.USER32(?,000000FC), ref: 002B2865
                                        • CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 002B287B
                                        • GetWindowLongW.USER32(?,000000FC), ref: 002B2895
                                        • SetWindowLongW.USER32(?,000000FC,?), ref: 002B28A5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$CallProc
                                        • String ID: $
                                        • API String ID: 513923721-3993045852
                                        • Opcode ID: 868143e6db9212836e062296bdd953d8b83238980b91c58759cfd6f4e2be609a
                                        • Instruction ID: 3a888ccd5dca665fb265d5f3d1c8aa38a3f8cb6b2072f65523e7c2dcbb5f7dbd
                                        • Opcode Fuzzy Hash: 868143e6db9212836e062296bdd953d8b83238980b91c58759cfd6f4e2be609a
                                        • Instruction Fuzzy Hash: 9B412271508700AFC720DF19D884A5BBBF5FF99764F104A1DF5A6836A0D772E8488F61
                                        Function 0036D900 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,E48E37CD,?,?,?,?,?,Function_001BDD00,000000FF,?,0039EE1C,?,?,000000FF), ref: 0036D943
                                        • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0036D96C
                                        • RegOpenKeyExW.KERNEL32(?,E48E37CD,00000000,?,00000000,E48E37CD,?,?,?,?,?,Function_001BDD00,000000FF,?,0039EE1C,?), ref: 0036D9A5
                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,Function_001BDD00,000000FF,?,0039EE1C,?,?,000000FF), ref: 0036D9B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AddressCloseHandleModuleOpenProc
                                        • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                        • API String ID: 823179699-3913318428
                                        • Opcode ID: 007ff142a88f23254849e7d892674f02f230c1a7a4d486f3af4609c4d8b50b12
                                        • Instruction ID: 7b1c2d6cd495dafde09a109d692e6e372f5249360a4c596316d48fbc389f8ee0
                                        • Opcode Fuzzy Hash: 007ff142a88f23254849e7d892674f02f230c1a7a4d486f3af4609c4d8b50b12
                                        • Instruction Fuzzy Hash: 6A21B272B04205EFDB158F45DC45BAABBF8FB45750F14852AF819D7284E775A800CB54
                                        Function 003BD210 Relevance: 10.6, APIs: 7, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000002), ref: 003BD230
                                        • GetWindowRect.USER32(00000000,?), ref: 003BD246
                                        • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,003BCFF7,?,00000000), ref: 003BD25F
                                        • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,003BCFF7,?), ref: 003BD26A
                                        • GetDlgItem.USER32(?,000003E9), ref: 003BD27C
                                        • GetWindowRect.USER32(00000000,?), ref: 003BD292
                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206), ref: 003BD2D8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Item$InvalidateShow
                                        • String ID:
                                        • API String ID: 2147159307-0
                                        • Opcode ID: ea10acb397e177c2ffe15a561b44d2e0e3482c8ec20c3d5d086a80de2bea5209
                                        • Instruction ID: 00afb482a80b491883dde4f6342b5aa82f7362b3e5aec5c592ca5b281353c107
                                        • Opcode Fuzzy Hash: ea10acb397e177c2ffe15a561b44d2e0e3482c8ec20c3d5d086a80de2bea5209
                                        • Instruction Fuzzy Hash: 2B215A74654300AFD700DF24DC49BAABBE9EF89308F10861DF9599A291E770E949CF52
                                        Function 003C0FF0 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNEL32(?,?,?,00000000,E48E37CD,?,?,00000002,?,?,?,?,?,?,00000000,004A0932), ref: 003C1047
                                        • GetLastError.KERNEL32(?,00000002), ref: 003C12D9
                                        • GetLastError.KERNEL32(?,00000002), ref: 003C1383
                                        • GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,004A0932,000000FF,?,003BFF4A,00000010), ref: 003C1056
                                          • Part of subcall function 003A2230: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,E48E37CD,00000008,00000000), ref: 003A227B
                                          • Part of subcall function 003A2230: GetLastError.KERNEL32 ref: 003A2285
                                        • ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 003C1118
                                        • ReadFile.KERNEL32(?,E48E37CD,00000000,00000000,00000000,00000001,?,00000002), ref: 003C1195
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast$File$Read$FormatMessagePointer
                                        • String ID:
                                        • API String ID: 3903527278-0
                                        • Opcode ID: 1388b7e873be1192317984826a9538a94cd6a8929306dbdb2c1daaaa758aca25
                                        • Instruction ID: 0946ba0401dee19221e2be40097ac3e7f07b2f156466f3568f1eb2ab695c1d5f
                                        • Opcode Fuzzy Hash: 1388b7e873be1192317984826a9538a94cd6a8929306dbdb2c1daaaa758aca25
                                        • Instruction Fuzzy Hash: 52D19F71D00209DFDB01DFA8C885BAEB7B5FF46314F148669E815EB292EB74AD05CB90
                                        Function 003BDCC0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 326COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathIsUNCW.SHLWAPI(?,E48E37CD,?,00000010,?), ref: 003BDF8A
                                          • Part of subcall function 003CEAB0: GetCurrentProcess.KERNEL32 ref: 003CEAF8
                                          • Part of subcall function 003CEAB0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 003CEB05
                                          • Part of subcall function 003CEAB0: GetLastError.KERNEL32 ref: 003CEB0F
                                          • Part of subcall function 003CEAB0: CloseHandle.KERNEL32(00000000), ref: 003CEBF0
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                          • Part of subcall function 002A9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002B69F0,-00000010,?,002BAA9D,*.*), ref: 002A93B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
                                        • String ID: Extraction path set to:$T`T$[WindowsVolume]$\\?\
                                        • API String ID: 699919280-3704992650
                                        • Opcode ID: 5017eafe2f5d29c522ddd5705894fe14b6f0d83f3d76f0af9d49dcb1384aa3e9
                                        • Instruction ID: e6c76e869f8aa0db04fbdda0c9d98d593a5c85cb2f2f04e45587c37f193577a3
                                        • Opcode Fuzzy Hash: 5017eafe2f5d29c522ddd5705894fe14b6f0d83f3d76f0af9d49dcb1384aa3e9
                                        • Instruction Fuzzy Hash: 52C1EF30A006069FDB01DFADC884BEEF7B4AF01318F158268E515AB292EB70DD45CBA1
                                        Function 003E1080 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileVersionInfoSizeW.KERNELBASE(?,E48E37CD,E48E37CD,?,00544C50,?,?,003C3989,?,E48E37CD,?,?,?,00000000,004A10D5), ref: 003E10E5
                                        • GetFileVersionInfoW.KERNELBASE(?,?,00000000,?,00000000,?,00544C50,?,?,003C3989,?,E48E37CD,?,?,?,00000000), ref: 003E1133
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: FileInfoVersion$Size
                                        • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                        • API String ID: 2104008232-2149928195
                                        • Opcode ID: df5a6be01fb7f08e778182bb0028d07fad1a2020e43b8c2aa7e9fdfaba48188e
                                        • Instruction ID: ebd0fb1a9f428adfc16c2540966a25c13e022eb859a9a6dd70178969b7cc3958
                                        • Opcode Fuzzy Hash: df5a6be01fb7f08e778182bb0028d07fad1a2020e43b8c2aa7e9fdfaba48188e
                                        • Instruction Fuzzy Hash: 8D71DD719001599BDB11DFAACC49BEEB7B8EF06314F15862AE911E72D1EB349D04CBA0
                                        Function 003E0F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003E0BE0: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,E48E37CD,00000000,00000000), ref: 003E0C34
                                          • Part of subcall function 003E0BE0: GetTempPathW.KERNEL32(00000104,?), ref: 003E0CC9
                                          • Part of subcall function 003E0BE0: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 003E0CFA
                                          • Part of subcall function 003E0BE0: Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 003E0D2D
                                        • GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,E48E37CD,00000000,?,?,00000000,004A70A5,000000FF,Shlwapi.dll,003E0F26,?,?,00000010), ref: 003E0FBD
                                        • GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,00000010), ref: 003E0FE9
                                        • GetLastError.KERNEL32(?,00000010), ref: 003E102E
                                        • DeleteFileW.KERNEL32(?), ref: 003E1041
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$InfoPathTempVersionWow64$DeleteDisableErrorFolderLastNameRedirectionSize
                                        • String ID: Shlwapi.dll
                                        • API String ID: 1841109139-1687636465
                                        • Opcode ID: 990feb2b58708de9fec24703c1e36704c662c0ce7f88ef284c8949edb2843428
                                        • Instruction ID: 1ddd0c85f4033bed09bf207bdf073180eb2115344b76688bfefc6a1df1066415
                                        • Opcode Fuzzy Hash: 990feb2b58708de9fec24703c1e36704c662c0ce7f88ef284c8949edb2843428
                                        • Instruction Fuzzy Hash: FA31A471900259ABDB15DFA6DC44BEFFBB8FF09350F15422AE811A3280D7359E44CBA1
                                        Function 003E0810 Relevance: 7.7, APIs: 5, Instructions: 166threadsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,E48E37CD,?,?,00000000,?,?,?,?,004A6FED,000000FF,?,003C1C3D), ref: 003E0850
                                        • CreateThread.KERNEL32(00000000,00000000,003E0BD0,?,00000000,?), ref: 003E0886
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003E098F
                                        • GetExitCodeThread.KERNEL32(00000000,?), ref: 003E099A
                                        • CloseHandle.KERNEL32(00000000), ref: 003E09BA
                                          • Part of subcall function 002B2970: RaiseException.KERNEL32(?,?,00000000,00000000,00435A3C,C000008C,00000001,?,00435A6D,00000000,?,002A91C7,00000000,E48E37CD,00000001,?), ref: 002B297C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CreateThread$CloseCodeEventExceptionExitHandleObjectRaiseSingleWait
                                        • String ID:
                                        • API String ID: 3595790897-0
                                        • Opcode ID: 19e00e52441ccb1afbc0062274d8ef06a91b402fb5f78718f4feffeb7ba303b4
                                        • Instruction ID: 831bac5697c4a4005ee9bb1e570014d0e362b08427b8cdf4ccb29f7dedec789d
                                        • Opcode Fuzzy Hash: 19e00e52441ccb1afbc0062274d8ef06a91b402fb5f78718f4feffeb7ba303b4
                                        • Instruction Fuzzy Hash: B4516974A00719DFDB14CF69C884BAEB7F4FF48710F254669E956A73A2D770A840CB50
                                        Function 003A45A0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 344COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • PathIsUNCW.SHLWAPI(?,?), ref: 003A4736
                                        • _wcschr.LIBVCRUNTIME ref: 003A4752
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$HeapPathProcess_wcschr
                                        • String ID: \\?\$\\?\UNC\
                                        • API String ID: 660126660-3019864461
                                        • Opcode ID: dde5496c5c28b9ad7d4806a3e7449b52c67e347c286bc284bfa398fad5590678
                                        • Instruction ID: 1a98255ae9b35ff7ba1ed6b89a23895cc68cb7861b47aa447892dfdb512aca13
                                        • Opcode Fuzzy Hash: dde5496c5c28b9ad7d4806a3e7449b52c67e347c286bc284bfa398fad5590678
                                        • Instruction Fuzzy Hash: C7C1C371A006499FDB01DBA8CC45BAEF7F8FF86310F148269E415EB2D1DB799904CBA0
                                        Function 003B6660 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 312COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003B64D0: GetTickCount.KERNEL32 ref: 003B6554
                                          • Part of subcall function 003B64D0: __Xtime_get_ticks.LIBCPMT ref: 003B655C
                                          • Part of subcall function 003B64D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003B65A6
                                          • Part of subcall function 003DA240: GetUserNameW.ADVAPI32(00000000,?), ref: 003DA2CE
                                          • Part of subcall function 003DA240: GetLastError.KERNEL32 ref: 003DA2D4
                                          • Part of subcall function 003DA240: GetUserNameW.ADVAPI32(00000000,?), ref: 003DA31C
                                          • Part of subcall function 003DA240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 003DA352
                                          • Part of subcall function 003DA240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 003DA39C
                                        • __Init_thread_footer.LIBCMT ref: 003B67A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                        • String ID: \/:*?"<>|$tiT$tiT
                                        • API String ID: 2099558200-2398237601
                                        • Opcode ID: dce86b806caaaa7a58fc5798dd0d3dfbaba9b479f96113bfb6fa1c7626fed900
                                        • Instruction ID: 7fd2bc5b49a719eb1f74e84dec2aea9a804e88710cb1db3b7c9898a1599ad7f6
                                        • Opcode Fuzzy Hash: dce86b806caaaa7a58fc5798dd0d3dfbaba9b479f96113bfb6fa1c7626fed900
                                        • Instruction Fuzzy Hash: 5DD1AD70900258CBDB14DF64CC95BEDBBB0BF16308F14419DD409AB682DBB95E48CFA1
                                        Function 003DC240 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 229filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ConnectNamedPipe.KERNEL32(?,00000000,E48E37CD,?,000000FF,?,00000000,004A62A6,000000FF,?,003DC45A,000000FF,?,00000001), ref: 003DC27A
                                        • GetLastError.KERNEL32(?,003DC45A,000000FF,?,00000001), ref: 003DC284
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,E48E37CD,?,000000FF,?,00000000,004A62A6,000000FF,?,003DC45A,000000FF,?), ref: 003DC2C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
                                        • String ID: \\.\pipe\ToServer
                                        • API String ID: 2973225359-63420281
                                        • Opcode ID: 1fe293a1f7201c2c1592449bb6a45a4a6160fb988f619c9e7bda679331c01ea6
                                        • Instruction ID: acc1b135fd3e244cc184f4dd8871fe4af5972a046cfffc78f96a57f5dd9e57d7
                                        • Opcode Fuzzy Hash: 1fe293a1f7201c2c1592449bb6a45a4a6160fb988f619c9e7bda679331c01ea6
                                        • Instruction Fuzzy Hash: 4071EF72610209EFDB15CF58D805BAEB7B9FF45324F10862EF8259B381DBB5A900CB90
                                        Function 0044EF42 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 202COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __freea.LIBCMT ref: 0044F0F1
                                          • Part of subcall function 0044DC17: RtlAllocateHeap.NTDLL(00000000,00000000,0044D0E1,?,0044EE85,?,00000000,?,0043F625,00000000,0044D0E1,?,?,?,?,0044CEDB), ref: 0044DC49
                                        • __freea.LIBCMT ref: 0044F106
                                        • __freea.LIBCMT ref: 0044F116
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: __freea$AllocateHeap
                                        • String ID: `&+
                                        • API String ID: 2243444508-3639896150
                                        • Opcode ID: c43614e6309a7a59aa89c8edbd93f90f50033d08f222a362255938c5ecd8dc4c
                                        • Instruction ID: f23007dbf5c0c8a3be0d0288540dd88e717abe30eaa77efdfc0d75be72341d41
                                        • Opcode Fuzzy Hash: c43614e6309a7a59aa89c8edbd93f90f50033d08f222a362255938c5ecd8dc4c
                                        • Instruction Fuzzy Hash: 7651C572600216AFFB205F65DC82DBB36A9EF48354F15013AFD08D7242EB79DC188768
                                        Function 003B6200 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,E48E37CD,?,00000010,?,003B9550,?), ref: 003B6266
                                        • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 003B62AF
                                        • ReadFile.KERNEL32(00000000,E48E37CD,?,?,00000000,00000078,?), ref: 003B62ED
                                        • CloseHandle.KERNEL32(00000000), ref: 003B6339
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerRead
                                        • String ID:
                                        • API String ID: 4133201480-0
                                        • Opcode ID: 4df25b585072f63d570b0103d1af464fbe2ae1ab578d024021c09599bb863a24
                                        • Instruction ID: 7455ca0a39f6d06db13ecc8166191170acbd340c07e898400c653a5a6cacce62
                                        • Opcode Fuzzy Hash: 4df25b585072f63d570b0103d1af464fbe2ae1ab578d024021c09599bb863a24
                                        • Instruction Fuzzy Hash: A2419F70900608EBDB11DF98CC89BEEFBB8EF45328F148269E511AB2D1D7789D04CB64
                                        Function 003E12C0 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(00000001,?,E48E37CD,?,?,00000000,0045D670,000000FF,?,003E12A8,00000000,80004005,?,00544C50,?,?), ref: 003E12F7
                                        • GetExitCodeThread.KERNEL32(00000001,80004005,?,?,00000000,0045D670,000000FF,?,003E12A8,00000000), ref: 003E1311
                                        • TerminateThread.KERNEL32(00000001,00000000,?,?,00000000,0045D670,000000FF,?,003E12A8,00000000), ref: 003E1329
                                        • CloseHandle.KERNEL32(00000001,?,?,00000000,0045D670,000000FF,?,003E12A8,00000000,80004005,?,00544C50,?,?,003C3989), ref: 003E1332
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
                                        • String ID:
                                        • API String ID: 3774109050-0
                                        • Opcode ID: 3b1dfc9afd6e47e22b05d81d2abe0a1ecf1c62be6921a348a02117dd19214c04
                                        • Instruction ID: c1fe4a88553e75efcaa9b1abae909884d13e208f3da2cf8cd54e1182ecc53f23
                                        • Opcode Fuzzy Hash: 3b1dfc9afd6e47e22b05d81d2abe0a1ecf1c62be6921a348a02117dd19214c04
                                        • Instruction Fuzzy Hash: 8C01B179900755EFCB219F55CC05BAAB7FCFB04710F00472EE82692AE0DB74A804CB58
                                        Function 0045327C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00452DAC: GetOEMCP.KERNEL32(00000000,?,?,?,00000104), ref: 00452DD7
                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,`&+,?,?,?,?,?,`&+,004530C3,?,00000000,?,?,00000104), ref: 004532DD
                                        • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,`&+,004530C3,?,00000000,?,?,00000104), ref: 0045331F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CodeInfoPageValid
                                        • String ID: `&+
                                        • API String ID: 546120528-3639896150
                                        • Opcode ID: 25ac73e293dd28494ff4433ffa9822542404cf73d6c492a69808bdb3c703ae3a
                                        • Instruction ID: 9e48896bbcb518a594f5888a240e3182dcce8bd63116b8ec8d004098afcf6dde
                                        • Opcode Fuzzy Hash: 25ac73e293dd28494ff4433ffa9822542404cf73d6c492a69808bdb3c703ae3a
                                        • Instruction Fuzzy Hash: 14512570A002449FDB21CF75C8816ABFBF5EF46346F14846FD88687253DA789A0ACB54
                                        Function 003BCFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(003BC783,00000000), ref: 003BCFA0
                                        • DestroyWindow.USER32(?), ref: 003BD057
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: DestroyErrorLastWindow
                                        • String ID: (0C
                                        • API String ID: 1182162058-4186761363
                                        • Opcode ID: 7fa83dfb409128cf1a4cbcf4f7d5888b88a868b1789ee521f0147e721cca662f
                                        • Instruction ID: b86f3755800ddb43e873a1c9fcadf38d43a53d908b80cb44bfaff945dd6ff500
                                        • Opcode Fuzzy Hash: 7fa83dfb409128cf1a4cbcf4f7d5888b88a868b1789ee521f0147e721cca662f
                                        • Instruction Fuzzy Hash: 1E2127716101098BDB21AF18EC417EA77A4EB51324F000266FD04CB690DB76EC65DBF1
                                        Function 00450308 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LCMapStringEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,E8458D00,00000100,?,E8458D00,00000000), ref: 0045033C
                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,`&+,0044F030,?,?,00000000,?,00000000), ref: 0045035A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: String
                                        • String ID: `&+
                                        • API String ID: 2568140703-3639896150
                                        • Opcode ID: 2dc35328b821997e226b838507f1483c05d024cca2a28faa3b98518d516a4f39
                                        • Instruction ID: 65557216188b6b84b6fd1637006cbeea40920510b9c1e87f62205c77835edff2
                                        • Opcode Fuzzy Hash: 2dc35328b821997e226b838507f1483c05d024cca2a28faa3b98518d516a4f39
                                        • Instruction Fuzzy Hash: 4CF0683A50051ABBCF125F91DC05EDE3F26BB48361F054165BE1825121CA36D871EB98
                                        Function 003C0B10 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNEL32(?,?,?,00000000,E48E37CD,?,?), ref: 003C0B77
                                        • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 003C0C84
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$PointerRead
                                        • String ID:
                                        • API String ID: 3154509469-0
                                        • Opcode ID: 1989f485b303df1d8ad37099f51be389405dee32770b3ef2c6a5a013942ad767
                                        • Instruction ID: 83fb288ddd9aae267d426e3b7100a690027c0d1bd9a5de32afdbfd4b298758d2
                                        • Opcode Fuzzy Hash: 1989f485b303df1d8ad37099f51be389405dee32770b3ef2c6a5a013942ad767
                                        • Instruction Fuzzy Hash: 62617E71D00649DFDB15DFA8C845B9DFBB4FB09720F10826EE825A7390DB75A914CB90
                                        Function 003BE0A0 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,E48E37CD,?,?,?,80004005,?,00000000), ref: 003BE13E
                                        • GetLastError.KERNEL32(?,?,?,80004005,?,00000000), ref: 003BE176
                                        • GetLastError.KERNEL32(?,?,?,?,80004005,?,00000000), ref: 003BE20F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CreateFile
                                        • String ID:
                                        • API String ID: 1722934493-0
                                        • Opcode ID: 75d2db8fbb07ae9e3014f968de9aedfb071386acf193b08f4370561c1928bc8a
                                        • Instruction ID: 6ce26c2f80a371cbc182e156c00ad21e509e7825fd187ca22f424706654eef75
                                        • Opcode Fuzzy Hash: 75d2db8fbb07ae9e3014f968de9aedfb071386acf193b08f4370561c1928bc8a
                                        • Instruction Fuzzy Hash: B2510431A00A059FDB11DF6CCC41BEAF7B5FF45324F108629EA159B790EB70A905CB90
                                        Function 003A4920 Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathIsUNCW.SHLWAPI(?,E48E37CD,?,?,774CE010,00000000,0049AAC5,000000FF,?,003E32A7,00000000,.part,00000005), ref: 003A496B
                                        • CreateDirectoryW.KERNEL32(000000FF,00000000,?,?,004D2A4C,00000001,?), ref: 003A4A2A
                                        • GetLastError.KERNEL32 ref: 003A4A38
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLastPath
                                        • String ID:
                                        • API String ID: 953296794-0
                                        • Opcode ID: d82a7d604e5d3f5d822a201cd747b5c1ebfd4ceb30d9f54aecd49c9d0a8806d4
                                        • Instruction ID: 1f3b0c25b38a1847226cf455a22e4e392043d1b74f97c2578709813a1a99e0a5
                                        • Opcode Fuzzy Hash: d82a7d604e5d3f5d822a201cd747b5c1ebfd4ceb30d9f54aecd49c9d0a8806d4
                                        • Instruction Fuzzy Hash: A461AF31A006099FDB11DFA8C885BDDFBF4EF56320F258269E415A72D1EBB4A904CF60
                                        Function 0044C63C Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,0044C636,?,0043AD12,?,?,E48E37CD,0043AD12,?), ref: 0044C64D
                                        • TerminateProcess.KERNEL32(00000000,?,0044C636,?,0043AD12,?,?,E48E37CD,0043AD12,?), ref: 0044C654
                                        • ExitProcess.KERNEL32 ref: 0044C666
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 2abe08817c0aeed049f76fa1aac215c8c3a745fd2bb824c4da461a4bafda6919
                                        • Instruction ID: 7964044a7fa7f9fa1b6d3df34c9ecafb845cb2b086e29be4cfc8cd1df099c360
                                        • Opcode Fuzzy Hash: 2abe08817c0aeed049f76fa1aac215c8c3a745fd2bb824c4da461a4bafda6919
                                        • Instruction Fuzzy Hash: 86D05E31002504AFDF402F65DC0D85D3F29EF043457099129B90645131CF359842CA9C
                                        Function 003A4C60 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,E48E37CD), ref: 003A4E00
                                          • Part of subcall function 003A4EC0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 003A4ECD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
                                        • String ID: USERPROFILE
                                        • API String ID: 1777821646-2419442777
                                        • Opcode ID: ced8f114fbd3b81f8b85131de7b497a636e057aa44fb9b70735fcdff230f6cfa
                                        • Instruction ID: 30e3f1c25435a264a7a4bd77cdd65c08cf9bc63bf235cecae914d6dd23e6f416
                                        • Opcode Fuzzy Hash: ced8f114fbd3b81f8b85131de7b497a636e057aa44fb9b70735fcdff230f6cfa
                                        • Instruction Fuzzy Hash: 1761DF71A00209DFDB14DF69C859BAEB7A8FF85710F10866DE819DB392DB709904CB91
                                        Function 00452E80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(E8458D00,?,004530CF,004530C3,00000000), ref: 00452EB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Info
                                        • String ID: `&+
                                        • API String ID: 1807457897-3639896150
                                        • Opcode ID: 23f786d7e498881a02161a314921b745f3988c56aaf301ab95e9ff03f3c23522
                                        • Instruction ID: 0c7fe8b7ba57c904c9d238919dfe89b123750d8426c32cebbea9714f02927d38
                                        • Opcode Fuzzy Hash: 23f786d7e498881a02161a314921b745f3988c56aaf301ab95e9ff03f3c23522
                                        • Instruction Fuzzy Hash: 4A5170715041489BDB218F24DE80AF67BB8EB16705F2405EFD89AC7183C3789D4ADF20
                                        Function 00304BF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00304CC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID: $
                                        • API String ID: 1378638983-3993045852
                                        • Opcode ID: e27d16bb6eaae38a00e55e910e30c9ffe33ffea401214ac4b678478068dd79c8
                                        • Instruction ID: 4e8d65cd7d9b78879d57cb20fca237098dd4dc4a6ad746aebb0c41e608ce4cad
                                        • Opcode Fuzzy Hash: e27d16bb6eaae38a00e55e910e30c9ffe33ffea401214ac4b678478068dd79c8
                                        • Instruction Fuzzy Hash: 4B31E9B1006380EBEB15DF08C8A471ABBF0BF88320F04815DFA458B2A5D376DA54CB92
                                        Function 00387FE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                        • __Init_thread_footer.LIBCMT ref: 00388052
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                        • String ID: XaT
                                        • API String ID: 2296764815-2366531857
                                        • Opcode ID: 38062b841edc495c456d98527492caec878fbdd49331be3d0a45ed596f187248
                                        • Instruction ID: 89762ab05ae78867201e872aeb722d8505b9463d90f63066f6c86e2d286a7fce
                                        • Opcode Fuzzy Hash: 38062b841edc495c456d98527492caec878fbdd49331be3d0a45ed596f187248
                                        • Instruction Fuzzy Hash: 7301D4B1944745EFCB14DB58E946B84B3A0E70A728F10567EE426833C1DB39A908DA16
                                        Function 003E18E0 Relevance: 3.1, APIs: 2, Instructions: 129COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 003E1931
                                        • EndDialog.USER32(00000000,00000001), ref: 003E1940
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: DialogWindow
                                        • String ID:
                                        • API String ID: 2634769047-0
                                        • Opcode ID: 0d9a68ea038642d3c1af7aaf0fba169f3d25995afbdf8f36ddbfc3f433e94fda
                                        • Instruction ID: 35778a65bb53caf047d28ae547f8b333f7db3ab55d7bd544877a749304338b28
                                        • Opcode Fuzzy Hash: 0d9a68ea038642d3c1af7aaf0fba169f3d25995afbdf8f36ddbfc3f433e94fda
                                        • Instruction Fuzzy Hash: C0517C30A01B85DFD711CF69C948B8AFBF4FF49310F1482AEE4559B2A1D774AA04CB91
                                        Function 003DF6D0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000), ref: 003DF735
                                        • CloseHandle.KERNEL32(?), ref: 003DF789
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CloseFreeHandleLibrary
                                        • String ID:
                                        • API String ID: 10933145-0
                                        • Opcode ID: 62b86b28db716c6f6571205903f565391137baf245f00f3e26365db56545e70f
                                        • Instruction ID: 98d0fb9a39d8064c13987b2b94ca937c513e9dc1897ed8522493545d9c9b05df
                                        • Opcode Fuzzy Hash: 62b86b28db716c6f6571205903f565391137baf245f00f3e26365db56545e70f
                                        • Instruction Fuzzy Hash: 1A217276A04A019FD704CF29EC8CB96B7F8FB15754F00422AE425C73A1EB799A08DB94
                                        Function 003A0F40 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003A2350: LoadLibraryW.KERNEL32(ComCtl32.dll,E48E37CD,00000000,?,00000000), ref: 003A238E
                                          • Part of subcall function 003A2350: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 003A23B1
                                          • Part of subcall function 003A2350: FreeLibrary.KERNEL32(00000000), ref: 003A242F
                                        • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 003A0F84
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003A0F8F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: LibraryMessageSend$AddressFreeLoadProc
                                        • String ID:
                                        • API String ID: 3032493519-0
                                        • Opcode ID: 973230fbe5af6fc8c910f135fcd5931b4e58b61f2e06ab549a57d269e6ebe0f5
                                        • Instruction ID: 07158ce3e97791a7c2240712dafe8761c2ce2177c353dc8a210d1dd581fa7faf
                                        • Opcode Fuzzy Hash: 973230fbe5af6fc8c910f135fcd5931b4e58b61f2e06ab549a57d269e6ebe0f5
                                        • Instruction Fuzzy Hash: 3AF030327812183BFA6021595C47F67B64DD786B64F144266FB98AF6C2ECC77C0502D8
                                        Function 0044DBDD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000000,00000000,?,0045221D,?,00000000,?,?,004524BE,?,00000007,?,?,00452B18,?,?), ref: 0044DBF3
                                        • GetLastError.KERNEL32(?,?,0045221D,?,00000000,?,?,004524BE,?,00000007,?,?,00452B18,?,?), ref: 0044DBFE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 485612231-0
                                        • Opcode ID: d2b7a51ed4f137b2ad38533f1884c475dd18619467e9b4e9d2cc8d648578a495
                                        • Instruction ID: f7c4d43df4ee4dd921ef206e0509c169b22af38d2ee4198c704e1de5d0a24879
                                        • Opcode Fuzzy Hash: d2b7a51ed4f137b2ad38533f1884c475dd18619467e9b4e9d2cc8d648578a495
                                        • Instruction Fuzzy Hash: 84E08631500214ABDB113FA5AC0D79A3B68AB0439AF154029F6088A161EA788894CB98
                                        Function 0044D987 Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,00000000,0043B034,0044EEA3,?,0043F625,00000000,0044D0E1,?,?,?,?,0044CEDB,?,?,00000004), ref: 0044D98B
                                        • SetLastError.KERNEL32(00000000), ref: 0044DA2D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast
                                        • String ID:
                                        • API String ID: 1452528299-0
                                        • Opcode ID: 8b1fd8c5fa68000c82663309525cf6d313f426483a559de04fbf360b396b2615
                                        • Instruction ID: f3d4bee189b362ed9b03575b31dd1d5697d6f40a99bbb3c9bde8084152cec2a5
                                        • Opcode Fuzzy Hash: 8b1fd8c5fa68000c82663309525cf6d313f426483a559de04fbf360b396b2615
                                        • Instruction Fuzzy Hash: 7A11E971A046006BF7103B76ACC6F6B2A88EB1176DB10053BF515E13E2DA6C4C0AD16C
                                        Function 003C3E40 Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,003C4020,?), ref: 003C3E8B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EnumLanguagesResource
                                        • String ID:
                                        • API String ID: 4141015960-0
                                        • Opcode ID: 47addae66f78ded345cb44a4257f9a700aa9ec95dbb4785b87a567a399a5f99c
                                        • Instruction ID: c5fe9b0cfb056b39176d3d569f8ece43b0d7789b708ceb32a2b6cdb8a7f9d5fd
                                        • Opcode Fuzzy Hash: 47addae66f78ded345cb44a4257f9a700aa9ec95dbb4785b87a567a399a5f99c
                                        • Instruction Fuzzy Hash: C7618C71A0161A9BDB15CF68C885F9AFBF4FF08304F11466DE914EB681E771EE448BA0
                                        Function 003C2AB0 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,E48E37CD), ref: 003C2ADB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 69ef183e06ecdbdd7ce36ae872339d4df10164f0721a5fd1f85fba03d5f71ca0
                                        • Instruction ID: ee77b911db008c74b2ac1ff3dee87c7c57db3b0cda726c6559187a91c376e7b8
                                        • Opcode Fuzzy Hash: 69ef183e06ecdbdd7ce36ae872339d4df10164f0721a5fd1f85fba03d5f71ca0
                                        • Instruction Fuzzy Hash: B941DF31900614EFDB12DF58C885F9AB7B4FB04710F1586AAE914EF291DB71AD04CBA0
                                        Function 003A2890 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003A2B00: __Init_thread_footer.LIBCMT ref: 003A2B76
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                        • __Init_thread_footer.LIBCMT ref: 003A2970
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
                                        • String ID:
                                        • API String ID: 984842325-0
                                        • Opcode ID: caea0108a22ad301f287ba94cd78aea5dfe53930e56d6107dd6a3e039871e55e
                                        • Instruction ID: 49ce6d0d0f1be182a402c93126feecc58fdc471d2eaa371366d803e6cec72025
                                        • Opcode Fuzzy Hash: caea0108a22ad301f287ba94cd78aea5dfe53930e56d6107dd6a3e039871e55e
                                        • Instruction Fuzzy Hash: 5831D0B5940A509BD715DF08EC86B86B3A1F723B1CF21421DE8114B7D0D3B6A9189B86
                                        Function 003DF850 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,003C1B50,?,00000000,00000000,?,?), ref: 003DF86D
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                          • Part of subcall function 003DF940: WaitForSingleObject.KERNEL32(?,000000FF,E48E37CD,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 003DF974
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AllocateCreateFileHeapObjectSingleWait
                                        • String ID:
                                        • API String ID: 1261966429-0
                                        • Opcode ID: 76168c8f0b9950deb82dee9c5ec6ec9c5e56b63d868e8ba24c3f32dc17d3234e
                                        • Instruction ID: bb499fdacf768f19d101acb783b34876b51ed9d554d35919568e3e9432040290
                                        • Opcode Fuzzy Hash: 76168c8f0b9950deb82dee9c5ec6ec9c5e56b63d868e8ba24c3f32dc17d3234e
                                        • Instruction Fuzzy Hash: CD31E675604B009FD325DF28E898B56B7E0FF88304F20896EE59BDB360D731AA91CB55
                                        Function 003A2B00 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                          • Part of subcall function 003A2BA0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 003A2C0E
                                          • Part of subcall function 003A2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 003A2C55
                                          • Part of subcall function 003A2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 003A2C74
                                          • Part of subcall function 003A2BA0: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 003A2CA3
                                          • Part of subcall function 003A2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 003A2D18
                                        • __Init_thread_footer.LIBCMT ref: 003A2B76
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
                                        • String ID:
                                        • API String ID: 3563064969-0
                                        • Opcode ID: caa668b2093179d39d4981c4d9a27a3c46911177ad3eb1a8646d2541f6b9d3c3
                                        • Instruction ID: 566f0f9b24a9bb7d1f542310f3b1c361fa3a2f24d8ed6a65f19be2a14c072661
                                        • Opcode Fuzzy Hash: caa668b2093179d39d4981c4d9a27a3c46911177ad3eb1a8646d2541f6b9d3c3
                                        • Instruction Fuzzy Hash: 9B0126B5A00604EFCB10DF5CDC46B8A7BE4F707B24F500329F8259B7C0D738A9008A92
                                        Function 002A9B10 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00437F9E: RaiseException.KERNEL32(E06D7363,00000001,00000003,E48E37CD,?,?,80004005,E48E37CD), ref: 00437FFE
                                        • RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AllocateExceptionHeapRaise
                                        • String ID:
                                        • API String ID: 3789339297-0
                                        • Opcode ID: 1d14c6528d8a79f2c39ff6c6f4bcee3677f8682340af93a28e054217c2e6f98e
                                        • Instruction ID: c8b0fbc0e8e604cca6bc59f804b2cb11868c4c2cc526992e6c90a44324406cc8
                                        • Opcode Fuzzy Hash: 1d14c6528d8a79f2c39ff6c6f4bcee3677f8682340af93a28e054217c2e6f98e
                                        • Instruction Fuzzy Hash: A2F0A072A48248FFCB15DF54DC02F5AFBA8FB09B14F10862EF81587690DB76A810DA58
                                        Function 0044DC17 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00000000,0044D0E1,?,0044EE85,?,00000000,?,0043F625,00000000,0044D0E1,?,?,?,?,0044CEDB), ref: 0044DC49
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 3be7f81991ccec533d74f3935f9d62bfd9773f3ad466f02540a4140e61204ec8
                                        • Instruction ID: c53a415541ef843a5ff6fce6d633f10bcb7051420bc989a318acf98180365cfc
                                        • Opcode Fuzzy Hash: 3be7f81991ccec533d74f3935f9d62bfd9773f3ad466f02540a4140e61204ec8
                                        • Instruction Fuzzy Hash: 48E0ED21E006205BFB212E669C8AB5B768C9B413A0F190127BC019A291EBE8CC00C1ED
                                        Function 0044D049 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 4161ad9d682441e30fc97106611a2688bc4dff69c661c4faf868099898b31a50
                                        • Instruction ID: 4576011e7d68946e01b2f0452f9d160f171cfd0b3a78347b33877d3db88aa460
                                        • Opcode Fuzzy Hash: 4161ad9d682441e30fc97106611a2688bc4dff69c661c4faf868099898b31a50
                                        • Instruction Fuzzy Hash: 5EE09AB6C0020EAADB40DFD5C496BEFBBB8EB08314F50942BA245E6141EB7857448BA5
                                        Function 002A8750 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: ed0c924c06db86c55b901bbc01193e2a010f9077c1d11b72436e1970a93d0a7b
                                        • Instruction ID: a76e66e30332d74b5a5cdbff97ff7c59b1c6a97a4509ae8eb332b964afa4254c
                                        • Opcode Fuzzy Hash: ed0c924c06db86c55b901bbc01193e2a010f9077c1d11b72436e1970a93d0a7b
                                        • Instruction Fuzzy Hash: 2EC08C302007104BC7306F28BA0874272DC5B04704F01442DA409C3200CF70DC00C658

                                        Non-executed Functions

                                        Function 002A2F40 Relevance: 210.0, Strings: 166, Instructions: 2486COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #T$ $T$(T$( T$(!T$("T$0T$100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8T$8#T$8$T$800$8000$@T$@ T$@!T$@"T$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$HT$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$PT$P$T$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$X!T$X"T$X#T$`T$` T$hT$hT$h$T$p!T$p"T$p#T$xT$x T$~$T$T
                                        • API String ID: 0-2557893121
                                        • Opcode ID: c01385832e7632ace9f2d10dcbb56eff488049d3ebc34ab2b4cee02164dd1b3c
                                        • Instruction ID: ff5d8f2a1a069cea9ae1820b9a44c0c66e3ebc18a88f33f55390b3ab19b2ab43
                                        • Opcode Fuzzy Hash: c01385832e7632ace9f2d10dcbb56eff488049d3ebc34ab2b4cee02164dd1b3c
                                        • Instruction Fuzzy Hash: D333BA30D957C8EFD701EBB4991A75D6EA0AB63709F60439DE1412B3E2CFBC0A049B59
                                        Function 002C41B0 Relevance: 48.2, APIs: 16, Strings: 11, Instructions: 961memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 002C420A
                                        • VariantClear.OLEAUT32(?), ref: 002C423C
                                        • VariantClear.OLEAUT32(?), ref: 002C435F
                                        • VariantClear.OLEAUT32(?), ref: 002C438E
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C4395
                                        • SysAllocString.OLEAUT32(00000000), ref: 002C43E8
                                        • VariantClear.OLEAUT32(?), ref: 002C4476
                                        • VariantClear.OLEAUT32(?), ref: 002C44A8
                                        • VariantClear.OLEAUT32(?), ref: 002C4609
                                        • VariantClear.OLEAUT32(?), ref: 002C463C
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C4647
                                        • SysAllocString.OLEAUT32(00000000), ref: 002C468A
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C4845
                                          • Part of subcall function 002C5120: VariantClear.OLEAUT32(?), ref: 002C5129
                                        • VariantClear.OLEAUT32(?), ref: 002C47FB
                                        • VariantClear.OLEAUT32(?), ref: 002C4837
                                        • SysAllocString.OLEAUT32(00000000), ref: 002C4869
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ClearVariant$String$AllocFree
                                        • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                        • API String ID: 1305860026-3153392536
                                        • Opcode ID: a9c197db3b9a6e07beb9b625e679e0970d2023d9c09302e27e519e2bd97d55d7
                                        • Instruction ID: 49bcff757c4841ad52f45f9ae4c5beb70ecd1070205b204f75d6c9a73cb3f8c9
                                        • Opcode Fuzzy Hash: a9c197db3b9a6e07beb9b625e679e0970d2023d9c09302e27e519e2bd97d55d7
                                        • Instruction Fuzzy Hash: 22925A70910358DFDB20DFA4CC54BDEBBB4BF49314F204299E449A7281EB74AA99CF94
                                        Function 003D77C0 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00546078,C0000000,00000003,00000000,00000004,00000080,00000000,E48E37CD,00546054,0054606C,?), ref: 003D7837
                                        • GetLastError.KERNEL32 ref: 003D7854
                                        • OutputDebugStringW.KERNEL32(00000000,00000020), ref: 003D78CF
                                        • OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 003D79CB
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 003D7A3C
                                        • WriteFile.KERNEL32(00000000,00545920,00000000,00000000,00000000,?,0000001C), ref: 003D7A6C
                                        • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,004C58A8,00000002), ref: 003D7B17
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 003D7B20
                                        • FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 003D7A71
                                          • Part of subcall function 002A9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002B69F0,-00000010,?,002BAA9D,*.*), ref: 002A93B7
                                        • OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 003D7C12
                                        • WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,0000001D), ref: 003D7C98
                                        • FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 003D7CA3
                                        • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,004C58A8,00000002,?,?,CPU: ,00000005), ref: 003D7D17
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 003D7D20
                                        • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,004C58A8,00000002), ref: 003D7DA5
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 003D7DAE
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
                                        • String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
                                        • API String ID: 4051163352-1312762833
                                        • Opcode ID: 8783124af1ab442c3baba6ab6ad1e533db6650dfe2d495fae223cf747ee64de2
                                        • Instruction ID: 19d0af3972df91103680e2b7587ce4d93e59bda1c2cd579d8adebd2b119b780e
                                        • Opcode Fuzzy Hash: 8783124af1ab442c3baba6ab6ad1e533db6650dfe2d495fae223cf747ee64de2
                                        • Instruction Fuzzy Hash: 2212AD71A012059FDB01DF68CC49BAEBBB9FF45310F1482AAE8159B3A2EB34DD45CB50
                                        Function 002C35A0 Relevance: 33.7, APIs: 22, Instructions: 727memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 002C35FA
                                        • VariantClear.OLEAUT32(?), ref: 002C362C
                                        • VariantClear.OLEAUT32(?), ref: 002C3726
                                        • VariantClear.OLEAUT32(?), ref: 002C3755
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C375C
                                        • SysAllocString.OLEAUT32(00000000), ref: 002C37A3
                                        • VariantClear.OLEAUT32(?), ref: 002C3827
                                        • VariantClear.OLEAUT32(?), ref: 002C3859
                                        • VariantClear.OLEAUT32(?), ref: 002C3959
                                        • VariantClear.OLEAUT32(?), ref: 002C398C
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C3997
                                        • SysAllocString.OLEAUT32(00000000), ref: 002C39DD
                                        • VariantClear.OLEAUT32(?), ref: 002C3A5A
                                        • VariantClear.OLEAUT32(?), ref: 002C3A8C
                                        • VariantClear.OLEAUT32(?), ref: 002C3BAC
                                        • VariantClear.OLEAUT32(?), ref: 002C3BDB
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C3BE2
                                        • SysAllocString.OLEAUT32(00000000), ref: 002C3C35
                                        • VariantClear.OLEAUT32(?), ref: 002C3CBA
                                        • VariantClear.OLEAUT32(?), ref: 002C3CEC
                                        • VariantClear.OLEAUT32(?), ref: 002C3DDD
                                        • VariantClear.OLEAUT32(?), ref: 002C3E0A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ClearVariant$String$AllocFree
                                        • String ID:
                                        • API String ID: 1305860026-0
                                        • Opcode ID: bfb8be357617805e87c08c237734d1c8f4562f320d04a35b4444fa493da98745
                                        • Instruction ID: b88e7f5d5092d516cdc3d72ad6c238556c1fe449fc0c7978995f93eb4a7ba5c6
                                        • Opcode Fuzzy Hash: bfb8be357617805e87c08c237734d1c8f4562f320d04a35b4444fa493da98745
                                        • Instruction Fuzzy Hash: 88429E71910249DFCB00DFA8CC48BDEBBB4FF09314F148669E405E7291EB789A59CBA5
                                        Function 002AF190 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 374memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002AF5F0: EnterCriticalSection.KERNEL32(00546250,E48E37CD,00000000,?,?,?,?,?,?,P*,0045F68D,000000FF), ref: 002AF62D
                                          • Part of subcall function 002AF5F0: LoadCursorW.USER32(00000000,00007F00), ref: 002AF6A8
                                          • Part of subcall function 002AF5F0: LoadCursorW.USER32(00000000,00007F00), ref: 002AF74E
                                        • SysFreeString.OLEAUT32(00000000), ref: 002AF233
                                        • SysAllocString.OLEAUT32(00000000), ref: 002AF264
                                        • GetWindowLongW.USER32(?,000000EC), ref: 002AF33B
                                        • GetWindowLongW.USER32(?,000000EC), ref: 002AF34B
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002AF356
                                        • NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 002AF364
                                        • GetWindowLongW.USER32(?,000000EB), ref: 002AF372
                                        • SetWindowTextW.USER32(?,004C337C), ref: 002AF411
                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 002AF448
                                        • GlobalLock.KERNEL32(00000000), ref: 002AF456
                                        • GlobalUnlock.KERNEL32(?), ref: 002AF47A
                                        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 002AF501
                                        • SysFreeString.OLEAUT32(00000000), ref: 002AF516
                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 002AF55D
                                        • SysFreeString.OLEAUT32(00000000), ref: 002AF585
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
                                        • String ID: L4C$P*$P*$~4C
                                        • API String ID: 4180125975-2871586407
                                        • Opcode ID: fd7508535ac0dbfbdd8722c288715d018d3ecc8358611a7aae79a69f7c7ba390
                                        • Instruction ID: 23fe2ae23dd55027b6ecb937d2d2bf416517009cd491a24ed2c6898c9f14d18b
                                        • Opcode Fuzzy Hash: fd7508535ac0dbfbdd8722c288715d018d3ecc8358611a7aae79a69f7c7ba390
                                        • Instruction Fuzzy Hash: 3CD1D271900206EFDF10DFE4CD48BAFBBB8EF4A314F144168E911A7280DB799A15CBA1
                                        Function 002B8CD0 Relevance: 26.8, APIs: 14, Strings: 1, Instructions: 520windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 002B8D83
                                        • ShowWindow.USER32(00000000,?), ref: 002B8DA2
                                        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 002B8DB0
                                        • GetWindowRect.USER32(00000000,?), ref: 002B8DC7
                                        • ShowWindow.USER32(00000000,?), ref: 002B8DE8
                                        • SetWindowLongW.USER32(?,000000EB,?), ref: 002B8DFF
                                          • Part of subcall function 002B2970: RaiseException.KERNEL32(?,?,00000000,00000000,00435A3C,C000008C,00000001,?,00435A6D,00000000,?,002A91C7,00000000,E48E37CD,00000001,?), ref: 002B297C
                                        • ShowWindow.USER32(?,?), ref: 002B8F43
                                        • GetWindowLongW.USER32(?,000000EB), ref: 002B8F79
                                        • ShowWindow.USER32(?,?), ref: 002B8F96
                                        • GetWindowRect.USER32(?,?), ref: 002B8FBB
                                        • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 002B90F8
                                        • GetWindowRect.USER32(?,?), ref: 002B91B5
                                        • GetWindowRect.USER32(?,?), ref: 002B9207
                                        • SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 002B9243
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$LongRectShow$MessageSend$ExceptionRaise
                                        • String ID: L/C
                                        • API String ID: 1022490566-2064156145
                                        • Opcode ID: c26cd01edc2025b1bb2c997822101a86675079f9b2cb384b60f8dd65eb6483c6
                                        • Instruction ID: 874e2b030eac3eb2ea9c0a1d483f6430060670f245063b4ee2d630cf96fc8c60
                                        • Opcode Fuzzy Hash: c26cd01edc2025b1bb2c997822101a86675079f9b2cb384b60f8dd65eb6483c6
                                        • Instruction Fuzzy Hash: 1B12CD31914606AFDB25CF68C844BAABBF5FF89344F00491DF58A97260DB30E899CF51
                                        Function 002AEBE0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 293nativememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 002AECCB
                                        • GetWindowLongW.USER32(00000004,000000EC), ref: 002AECDB
                                        • SetWindowLongW.USER32(00000004,000000EC,00000000), ref: 002AECE6
                                        • NtdllDefWindowProc_W.NTDLL(00000004,?,00000001,?), ref: 002AECF4
                                        • GetWindowLongW.USER32(00000004,000000EB), ref: 002AED02
                                        • SetWindowTextW.USER32(00000004,004C337C), ref: 002AEDA1
                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 002AEDD8
                                        • GlobalLock.KERNEL32(00000000), ref: 002AEDE6
                                        • GlobalUnlock.KERNEL32(?), ref: 002AEE0A
                                        • SetWindowLongW.USER32(00000004,000000EB,00000000), ref: 002AEE6F
                                        • NtdllDefWindowProc_W.NTDLL(00000004,?,00000000,00000000), ref: 002AEEBD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
                                        • String ID: L4C$~4C
                                        • API String ID: 3555041256-3149871551
                                        • Opcode ID: 7074bcd135bbb9a922f751e7dd31e1d926fe53c97a5706f09de207e9caa5561a
                                        • Instruction ID: 2888e0bf9da2f1401a17f0a913f8955534844cc61fd2d4bd23943104121e8b63
                                        • Opcode Fuzzy Hash: 7074bcd135bbb9a922f751e7dd31e1d926fe53c97a5706f09de207e9caa5561a
                                        • Instruction Fuzzy Hash: C0A10071910206EBDF10DFA4CD08BAFBBB9EF46320F254619F911A7291DB388915CBA1
                                        Function 003AC0B0 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 420fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 003AC452
                                        • FindClose.KERNEL32(00000000), ref: 003AC480
                                        • FindClose.KERNEL32(00000000), ref: 003AC509
                                        Strings
                                        • No acceptable version found. It must be downloaded., xrefs: 003AC8DD
                                        • An acceptable version was found., xrefs: 003AC8CF
                                        • No acceptable version found. It is already downloaded and it will be installed., xrefs: 003AC8F2
                                        • No acceptable version found. It must be downloaded manually from a site., xrefs: 003AC8E4
                                        • Not selected for install., xrefs: 003AC900
                                        • No acceptable version found. Operating System not supported., xrefs: 003AC8EB
                                        • No acceptable version found., xrefs: 003AC8F9
                                        • No acceptable version found. It must be installed from package., xrefs: 003AC8D6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
                                        • String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
                                        • API String ID: 544434140-749633484
                                        • Opcode ID: 93842dd9a5c0e3e63aadedbe89107f35f4897cfed1d07dd9a80b255c9288ca06
                                        • Instruction ID: 179f33f5c7301fc1f2ad411e180617ae2022acfa20a8e6823c35941f73a17aa5
                                        • Opcode Fuzzy Hash: 93842dd9a5c0e3e63aadedbe89107f35f4897cfed1d07dd9a80b255c9288ca06
                                        • Instruction Fuzzy Hash: D1F19E30900609CFDB11DF69C9487AEFBF5EF46310F148699E8599B392EB34AA44CF91
                                        Function 002FFA40 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 253windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 002FFC1B
                                        • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 002FFC2B
                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 002FFC40
                                        • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 002FFC51
                                        • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 002FFC64
                                        • GetWindowRect.USER32(?,?), ref: 002FFC92
                                          • Part of subcall function 003012B0: CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0030130F
                                          • Part of subcall function 003012B0: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,002FFDEC,00000000,E48E37CD,?,?), ref: 00301328
                                          • Part of subcall function 002B0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 002B0DE6
                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 002FFCF4
                                        • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 002FFD04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateLongRect
                                        • String ID: ,
                                        • API String ID: 1954517558-3772416878
                                        • Opcode ID: 094066336ad41b446879842e182500df6950214dfbef2ec3e5faa95e288dc4ba
                                        • Instruction ID: fcd367d23795f00c017e167288eeb26636cf3c61cc80564e1f3b455a6744e9cc
                                        • Opcode Fuzzy Hash: 094066336ad41b446879842e182500df6950214dfbef2ec3e5faa95e288dc4ba
                                        • Instruction Fuzzy Hash: 14A1F571A002199FDB14CFA9CD85BAEBBF9FB48300F50462AE516EB291D774A914CF50
                                        Function 002C6070 Relevance: 12.8, APIs: 6, Strings: 1, Instructions: 512windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 002C6143
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                        • __Init_thread_footer.LIBCMT ref: 002C610F
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                        • SendMessageW.USER32(?,0000104D,00000000,?), ref: 002C643F
                                        • SendMessageW.USER32(?,0000102B,?,?), ref: 002C64CF
                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 002C6555
                                        • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 002C6695
                                          • Part of subcall function 002AC3F0: __floor_pentium4.LIBCMT ref: 002AC40D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__floor_pentium4
                                        • String ID: AiFeatIco
                                        • API String ID: 4294328693-859831556
                                        • Opcode ID: b7591bbd36a7179e93dcdd6c3870c0740e887b18fe5604e9937186c19dee100b
                                        • Instruction ID: d0c09bac92262140169b447dc859ad7a3e00bdb378bcb5ff8a878cbd017c49c5
                                        • Opcode Fuzzy Hash: b7591bbd36a7179e93dcdd6c3870c0740e887b18fe5604e9937186c19dee100b
                                        • Instruction Fuzzy Hash: 1C22BF71900249DFDF14DF68C889BEDBBB5FF59304F144269E805AF292DB70AA44CBA1
                                        Function 00382A50 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 313windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00382C80
                                        • SendMessageW.USER32(?,00000443,00000000), ref: 00382CEA
                                        • MulDiv.KERNEL32(?,00000000), ref: 00382D21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow
                                        • String ID: ;3C$NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                        • API String ID: 701072176-3522137364
                                        • Opcode ID: 59ce2407f9dcf4fab473a24be334e38437e182ffac361119719c4b548ae8ab61
                                        • Instruction ID: 43f9c4c6869cd7d6e6d1a6bd7f71a2038325a4e655e2ffba76d5518409baeb30
                                        • Opcode Fuzzy Hash: 59ce2407f9dcf4fab473a24be334e38437e182ffac361119719c4b548ae8ab61
                                        • Instruction Fuzzy Hash: 44C1BC71A00709AFEB14CF64CC55BEAB7F1EF89300F008299E556AB2D1DB746A49CF94
                                        Function 00458B95 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1436COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$`&+
                                        • API String ID: 4168288129-3694619426
                                        • Opcode ID: d76cbd32e4eb69a501cbf0d3a5d48f88cdb17db5032f88d2ccf81556d3f1dac4
                                        • Instruction ID: 2391e8d383a4fa715678de9ea15771a31caf2977e851f00557481547bbc30b12
                                        • Opcode Fuzzy Hash: d76cbd32e4eb69a501cbf0d3a5d48f88cdb17db5032f88d2ccf81556d3f1dac4
                                        • Instruction Fuzzy Hash: DBD22871E08228CBDB65CE28CD407EAB7B5EB45306F1445EBD80DE7241DB38AE898F45
                                        Function 003CA620 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 388COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • _wcschr.LIBVCRUNTIME ref: 003CA6D9
                                        • GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 003CA82E
                                        • GetDriveTypeW.KERNEL32(?), ref: 003CA84A
                                        • Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 003CAA37
                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 003CAAC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Wow64$DriveInit_thread_footerRedirection$DisableHeapLogicalProcessRevertStringsType_wcschr
                                        • String ID: ]%!
                                        • API String ID: 2638324580-1069524040
                                        • Opcode ID: 6fb49250e826b9c4143cb1da5b5a268f337caf371790e0373ef60440780ac079
                                        • Instruction ID: a22c1121666dc9f346f3e9f41250ac0ac3ccf6230b4a0fee04811416b0188e1b
                                        • Opcode Fuzzy Hash: 6fb49250e826b9c4143cb1da5b5a268f337caf371790e0373ef60440780ac079
                                        • Instruction Fuzzy Hash: 69F1CE30900A59DFDB25DB68CC84BADB7B4AF04314F1582EDE41AEB291DB709E84CF91
                                        Function 00453B80 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044D836: GetLastError.KERNEL32(?,00000008,0044F453), ref: 0044D83A
                                          • Part of subcall function 0044D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0044D8DC
                                        • GetACP.KERNEL32(?,?,?,?,?,?,004493AE,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00453C41
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004493AE,?,?,?,00000055,?,-00000050,?,?), ref: 00453C6C
                                        • _wcschr.LIBVCRUNTIME ref: 00453D00
                                        • _wcschr.LIBVCRUNTIME ref: 00453D0E
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00453DCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                        • String ID: utf8
                                        • API String ID: 4147378913-905460609
                                        • Opcode ID: 8d8a17bfc3a148960dd2d0264b19846864f5c719cb7a362e9a2668596b49db6f
                                        • Instruction ID: 028db6e42bdb22424eb4381d3b92cc949fc34003b4befbc31c9aa7a9df2f9b9e
                                        • Opcode Fuzzy Hash: 8d8a17bfc3a148960dd2d0264b19846864f5c719cb7a362e9a2668596b49db6f
                                        • Instruction Fuzzy Hash: A971F871A00205AAD725AF75CC42B6773B8EF04787F14442FFD05DB282EA78EE48C669
                                        Function 003DFB20 Relevance: 9.2, APIs: 6, Instructions: 196fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,E48E37CD,?,00000000,00000000), ref: 003DFBF1
                                        • FindNextFileW.KERNEL32(?,00000000), ref: 003DFC0C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: FileFind$FirstNext
                                        • String ID:
                                        • API String ID: 1690352074-0
                                        • Opcode ID: b090e4db9fb3fed8c548e998b6d765da3b74ade75593ad2db74b231bf36b069e
                                        • Instruction ID: 99a014b78f1c0329036c2dcabf2ee856a105b6d84ecd0705351e1a6f38362ef0
                                        • Opcode Fuzzy Hash: b090e4db9fb3fed8c548e998b6d765da3b74ade75593ad2db74b231bf36b069e
                                        • Instruction Fuzzy Hash: 3B716C71900289DFDB11DFA9CC48BEEBBB8FF05314F15826AE815AB291DB749E04CB50
                                        Function 0044DD6A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 337COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: _strrchr
                                        • String ID: `&+
                                        • API String ID: 3213747228-3639896150
                                        • Opcode ID: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
                                        • Instruction ID: 83bd5b5a10836bbcef22d22cb4a10d439434ee50a50f811470bd78a3964eccb7
                                        • Opcode Fuzzy Hash: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
                                        • Instruction Fuzzy Hash: D5B16932D042559FEB25CF28C8817EEBBA5EF59304F14816BE815AB341C27C9D05CBA9
                                        Function 003A3A50 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 321fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 003A3BA8
                                        • FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 003A3C45
                                        • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 003A3C6B
                                        • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 003A3CB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess
                                        • String ID: P3L
                                        • API String ID: 3625725927-419209001
                                        • Opcode ID: fb06dd6e97db8f0072e78f845b3fefe8e08cf80e0d34cf7ab93bfb18184f099d
                                        • Instruction ID: aa754fef8b9ce888dfacd67a8dbb59aa2d222d19140bee78681c46dd7dc710b4
                                        • Opcode Fuzzy Hash: fb06dd6e97db8f0072e78f845b3fefe8e08cf80e0d34cf7ab93bfb18184f099d
                                        • Instruction Fuzzy Hash: FDA1B271A002099FDB15DF68CC49BAEB7F5FF45324F24862EE81597381EBB59A048B90
                                        Function 00300BAA Relevance: 9.1, APIs: 6, Instructions: 70nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(?,00000000), ref: 00300B67
                                        • ShowWindow.USER32(?,00000005), ref: 00300B93
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00300BC5
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00300BE3
                                        • NtdllDefWindowProc_W.NTDLL(?,0000000C,?,?), ref: 00300BF6
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00300C0D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$Show$NtdllProc_
                                        • String ID:
                                        • API String ID: 3227303085-0
                                        • Opcode ID: 5a8e9e514b5e364a6c8697a582b0aa53a8603fbea817bcb5160dac96c580f65c
                                        • Instruction ID: 2e861a5ed95189285b4bcdb9baacfb295595177264467ebe5339d188c83d92c6
                                        • Opcode Fuzzy Hash: 5a8e9e514b5e364a6c8697a582b0aa53a8603fbea817bcb5160dac96c580f65c
                                        • Instruction Fuzzy Hash: FB215935A45204DFDB159F58DC58BADBBB2FF49324F210229E426AB3E1CB366814DF40
                                        Function 00435CA1 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000C,00435BBD,00000000,?,00435D55,00000000,?,?,002B0B74,?), ref: 00435CA3
                                        • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,002B0B74,?), ref: 00435CCA
                                        • HeapAlloc.KERNEL32(00000000,?,?,002B0B74,?), ref: 00435CD1
                                        • InitializeSListHead.KERNEL32(00000000,?,?,002B0B74,?), ref: 00435CDE
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,002B0B74,?), ref: 00435CF3
                                        • HeapFree.KERNEL32(00000000,?,?,002B0B74,?), ref: 00435CFA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                        • String ID:
                                        • API String ID: 1475849761-0
                                        • Opcode ID: 63f4e7ae83183da5fb1577058d8d947f21f13db7a34c253921fe4ba3be8f3d95
                                        • Instruction ID: 3eab032fcb727d9e3f845b5211f2dea6dc88ef7fc6609482d6067484629f927d
                                        • Opcode Fuzzy Hash: 63f4e7ae83183da5fb1577058d8d947f21f13db7a34c253921fe4ba3be8f3d95
                                        • Instruction Fuzzy Hash: 14F0CD35641A019BDB20AF29BC48B0B37ECBB98B56F06863DF942C3350DF74C804DA68
                                        Function 0045430F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,2000000B,0045462D,00000002,00000000,?,?,?,0045462D,?,00000000), ref: 004543A8
                                        • GetLocaleInfoW.KERNEL32(?,20001004,0045462D,00000002,00000000,?,?,?,0045462D,?,00000000), ref: 004543D1
                                        • GetACP.KERNEL32(?,?,0045462D,?,00000000), ref: 004543E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 3fefda5bfe33a24281c7e616bcb5ff5b81159eed1861502198da7466d332f990
                                        • Instruction ID: ba4cc8167420b325102272f75a6aff5dae757d32ece5d4d9e856ba1c3e78cc38
                                        • Opcode Fuzzy Hash: 3fefda5bfe33a24281c7e616bcb5ff5b81159eed1861502198da7466d332f990
                                        • Instruction Fuzzy Hash: AE21F432701100A7D7348F54C901A9B73AAEFD4B5AB568476ED0ACF326E736DE89C358
                                        Function 004544E4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044D836: GetLastError.KERNEL32(?,00000008,0044F453), ref: 0044D83A
                                          • Part of subcall function 0044D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0044D8DC
                                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004545F0
                                        • IsValidCodePage.KERNEL32(00000000), ref: 00454639
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00454648
                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00454690
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004546AF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                        • String ID:
                                        • API String ID: 415426439-0
                                        • Opcode ID: 56960d070d74530ec4b6c47ae03905ef30ea43ce48957d0c381f739476fa2566
                                        • Instruction ID: 8ec2445c47cf08bbf3cd846ce190d4590409bd8ccb278e35104d91e914774c5c
                                        • Opcode Fuzzy Hash: 56960d070d74530ec4b6c47ae03905ef30ea43ce48957d0c381f739476fa2566
                                        • Instruction Fuzzy Hash: 6051B671900209ABDF10DF65CC45ABB73B8BF4570AF04056AFE04DB252E7789948CB69
                                        Function 002BC4F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(00000003,000000FC), ref: 002BC546
                                        • SetWindowLongW.USER32(00000003,000000FC,?), ref: 002BC558
                                        • DeleteCriticalSection.KERNEL32(?,E48E37CD,?,?,?,?,004619C4,000000FF), ref: 002BC583
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: LongWindow$CriticalDeleteSection
                                        • String ID: PVL
                                        • API String ID: 1978754570-7733451
                                        • Opcode ID: 254d0e4ae26c2db48db8fdefe3bc042aa5c4250fd983cdbc9041fe57660d8a8b
                                        • Instruction ID: a563b2a3cb84dc3554f24acc63220e861800cefa6f62236a449636ad70fbbd04
                                        • Opcode Fuzzy Hash: 254d0e4ae26c2db48db8fdefe3bc042aa5c4250fd983cdbc9041fe57660d8a8b
                                        • Instruction Fuzzy Hash: 5B31D474900646EBCF20DF24CC48B9ABBF8BF15354F14821AE814A36D1D775EA14DB90
                                        Function 003CB3D0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca7f8c7eb1af99be2373199dc3b1da3ffc7bd8e3fb1902ae682f47b1f51a6204
                                        • Instruction ID: de89b569ebcc64a83b427c2a6853217ebd2817472d39772195e9947e478f3a62
                                        • Opcode Fuzzy Hash: ca7f8c7eb1af99be2373199dc3b1da3ffc7bd8e3fb1902ae682f47b1f51a6204
                                        • Instruction Fuzzy Hash: E1816A719012199FDB50DF68CC8AB99F7B8EF45314F1482DDE818AB292DB709E84CF91
                                        Function 0033AB40 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceW.KERNEL32(00000000,?,00000017,E48E37CD,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 0033AB88
                                        • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 0033AB9B
                                        • LockResource.KERNEL32(00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 0033ABAA
                                        • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 0033ABBA
                                          • Part of subcall function 003A1480: MultiByteToWideChar.KERNEL32(?,00000000,00000000,?,00000000,00000000,E48E37CD,00000000,00000000), ref: 003A14D4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Resource$ByteCharFindLoadLockMultiSizeofWide
                                        • String ID:
                                        • API String ID: 203124936-0
                                        • Opcode ID: f47150750eb0b14f1f2374b0a91e2a5760d6e86d50fdf4ec8f54d96df9284b3b
                                        • Instruction ID: e098b156c6f3840fe23587c1af29a7258451371f287ac118790866a482d65e91
                                        • Opcode Fuzzy Hash: f47150750eb0b14f1f2374b0a91e2a5760d6e86d50fdf4ec8f54d96df9284b3b
                                        • Instruction Fuzzy Hash: 2C31E471E04B05ABDB209F74DC45BABF7B8EB48750F015729E855A73C0EB70A904CBA2
                                        Function 00300CE3 Relevance: 6.1, APIs: 4, Instructions: 82nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00300D3E
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00300D5C
                                        • NtdllDefWindowProc_W.NTDLL(?,00000086,?,00000000), ref: 00300D6E
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00300D80
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$NtdllProc_
                                        • String ID:
                                        • API String ID: 3674618424-0
                                        • Opcode ID: f2bbae604c3b22c59595e4acd64fd2dab0cd44ea2ac261c95560223b0cee7837
                                        • Instruction ID: ff932ecba19253bd31ece3b23d3c26a69a05f04373da9953e482c7ff4f18f78f
                                        • Opcode Fuzzy Hash: f2bbae604c3b22c59595e4acd64fd2dab0cd44ea2ac261c95560223b0cee7837
                                        • Instruction Fuzzy Hash: D6319A70A48254AFDB11CF68DD89B99BBB1EF46320F10429AE811AB3E1CB756D14DB50
                                        Function 00300C22 Relevance: 6.0, APIs: 4, Instructions: 48nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00300C3C
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00300C5A
                                        • NtdllDefWindowProc_W.NTDLL(?,00000080,?,?), ref: 00300C70
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00300C87
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$NtdllProc_
                                        • String ID:
                                        • API String ID: 3674618424-0
                                        • Opcode ID: b55db4e67a3a914bed7555d4613b07b74d2f18005d2824217437f68a413c2f39
                                        • Instruction ID: c150bd8dc2f16fea7dbdafc7845e40c9189af867b93a93d2b64f6bbbe04dfc65
                                        • Opcode Fuzzy Hash: b55db4e67a3a914bed7555d4613b07b74d2f18005d2824217437f68a413c2f39
                                        • Instruction Fuzzy Hash: 42111276A04259AFDF219F98DC44B9DBBB5EB49320F21032AE925A33E0CB7219149B40
                                        Function 00313FC0 Relevance: 5.9, Strings: 4, Instructions: 907COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: &$</a>$<a>$tYT
                                        • API String ID: 1385522511-4292537815
                                        • Opcode ID: 61322bbf198561f52976c05f72a3af3c50aff1929311197641b2933c0e730efa
                                        • Instruction ID: e214eb006b70cd23e618dd309980f8011af76405f7ba6987980c1956ac5c5d04
                                        • Opcode Fuzzy Hash: 61322bbf198561f52976c05f72a3af3c50aff1929311197641b2933c0e730efa
                                        • Instruction Fuzzy Hash: D6922270D012A9DFDB25DBA8C944BDDBBB4AF18304F1085DAE409B7292DB745E88CF61
                                        Function 0041D550 Relevance: 5.5, Strings: 4, Instructions: 529COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: yxxx$yxxx$yxxx$yxxx
                                        • API String ID: 0-3504637693
                                        • Opcode ID: a6aa1bece39e65445dd18bb5d8ecf3d7e7659061379142ec94ce2fb52e19cada
                                        • Instruction ID: 87f330455e20a50e73a41db49bc31685af034f464b4f591fe11d64a1397dbce4
                                        • Opcode Fuzzy Hash: a6aa1bece39e65445dd18bb5d8ecf3d7e7659061379142ec94ce2fb52e19cada
                                        • Instruction Fuzzy Hash: 2702B4B1E005059FCB18DF59C981AAEB7F5EF88300F14862EE816EB395DB34E941CB94
                                        Function 003CB7D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 003CB88C
                                        • FindClose.KERNEL32(00000000), ref: 003CB9D7
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Find$AllocateCloseFileFirstHeap
                                        • String ID: %d.%d.%d.%d
                                        • API String ID: 1673784098-3491811756
                                        • Opcode ID: 2daa240c7b79a83c1777d5af572907cfd55ee42bca6f13404acb1fd24a037a91
                                        • Instruction ID: afc1bf9c249008c5b9df03a1356eb3f424f6acbbcb65cf6ccf4d2efa9bb7c448
                                        • Opcode Fuzzy Hash: 2daa240c7b79a83c1777d5af572907cfd55ee42bca6f13404acb1fd24a037a91
                                        • Instruction Fuzzy Hash: 8A616971905219DFDF20DF68CC49B9DBBB4AF05314F10829AE819AB291DB769E84CF90
                                        Function 002BE290 Relevance: 5.3, Strings: 4, Instructions: 346COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                        • API String ID: 0-932585912
                                        • Opcode ID: eaec2a7afb93f956c7c7e2905ce5d621ebd021fbbf3c115a4d051fbc2a545370
                                        • Instruction ID: 7351e33e3bb03e40f787ad2216839efe1543fe2d14c4d1f400e24ec799044348
                                        • Opcode Fuzzy Hash: eaec2a7afb93f956c7c7e2905ce5d621ebd021fbbf3c115a4d051fbc2a545370
                                        • Instruction Fuzzy Hash: CBD19D70D10218DFEF04CFA9CC45BEEBBB1AF45304F508159E455AB286DB78AA19CBA1
                                        Function 00453F93 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044D836: GetLastError.KERNEL32(?,00000008,0044F453), ref: 0044D83A
                                          • Part of subcall function 0044D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0044D8DC
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00453FE7
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00454031
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004540F7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: InfoLocale$ErrorLast
                                        • String ID:
                                        • API String ID: 661929714-0
                                        • Opcode ID: b95d89cfbf8cca70a4b6dd5eb4337435c0fc91e66bfd85e96ea9933e92a604f6
                                        • Instruction ID: 27985903e4afa6825571b6caebc94e0768a5e6d4044c83eb537cffd588d0bec0
                                        • Opcode Fuzzy Hash: b95d89cfbf8cca70a4b6dd5eb4337435c0fc91e66bfd85e96ea9933e92a604f6
                                        • Instruction Fuzzy Hash: C761E4719105079BDB289F29CC86B7BB3A8EF54309F10417AED05CA282E738D9C9CB58
                                        Function 002B8890 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000004), ref: 002B88DE
                                        • GetWindowLongW.USER32(00000004,000000FC), ref: 002B88F7
                                        • SetWindowLongW.USER32(00000004,000000FC,?), ref: 002B8909
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID:
                                        • API String ID: 847901565-0
                                        • Opcode ID: 7f37f173dc1fb8dcd85fd58550afc493c863538c0f22dddf6fa620aa5f9a925b
                                        • Instruction ID: cbe17075cd6ade978936fcd629269de589c3cc7357db35310ccec1410fdf05b2
                                        • Opcode Fuzzy Hash: 7f37f173dc1fb8dcd85fd58550afc493c863538c0f22dddf6fa620aa5f9a925b
                                        • Instruction Fuzzy Hash: 1E419DB0601A46EFDB10CF65D908B9AFBB8FF05314F00826DE41897790DB76E924CB91
                                        Function 0043AD13 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043AE0B
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043AE15
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043AE22
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 52126ac4033531ae5e038a983e6132f6edd3637c4761e568cf2415dbdd12fca3
                                        • Instruction ID: 8dda349dea06951ae7aa468ce970612e930ce9cba489f9dd490c6ad085495a1c
                                        • Opcode Fuzzy Hash: 52126ac4033531ae5e038a983e6132f6edd3637c4761e568cf2415dbdd12fca3
                                        • Instruction Fuzzy Hash: 7731C5759412189BCB21DF69DC8978DBBB8BF1C310F5051EAE40CA7290EB749F858F49
                                        Function 002B1670 Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000FC), ref: 002B1689
                                        • SetWindowLongW.USER32(?,000000FC,?), ref: 002B1697
                                        • DestroyWindow.USER32(?,?,?,?,?,?,80004003,?,00000001,?,?,00000001,?,?,004C383C), ref: 002B16C3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$Destroy
                                        • String ID:
                                        • API String ID: 3055081903-0
                                        • Opcode ID: abe1316d143d326c653d244743ea41657c4a0b0c65ede447a1cfb258c4e6ccc9
                                        • Instruction ID: 314af6dd902d0bb1dd247610cfcc1bbc7ec81e92f61bd9aca001f2f1b0a00174
                                        • Opcode Fuzzy Hash: abe1316d143d326c653d244743ea41657c4a0b0c65ede447a1cfb258c4e6ccc9
                                        • Instruction Fuzzy Hash: 0AF03A34004B119BDB605F28ED08BC2BBE4BF05725F048B1DE4AA825F0CB35E864EB00
                                        Function 002C7630 Relevance: 3.3, APIs: 2, Instructions: 252windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000102B,00000000,?), ref: 002C774D
                                        • SendMessageW.USER32(?,0000102B,0000009B,?), ref: 002C7932
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: db12f38f8c88aa383c07fd8b593d0dc8d26ef551ba767d0bdba5a0d7d1a1fd71
                                        • Instruction ID: 634587cdc629eb1f2dab8ddaa559d974f722103f79e62f4c8b1eb0b610e84ece
                                        • Opcode Fuzzy Hash: db12f38f8c88aa383c07fd8b593d0dc8d26ef551ba767d0bdba5a0d7d1a1fd71
                                        • Instruction Fuzzy Hash: FAA1FF71A14646AFDB18CF24C999FA9FBE5FB04304F14836EE45ADB281D734AA11CF90
                                        Function 003BE3A0 Relevance: 3.1, APIs: 2, Instructions: 140fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,E48E37CD,00000000,?,00000000), ref: 003BE48E
                                        • FindClose.KERNEL32(00000000,?,00000000), ref: 003BE4D9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: ea5f71becec58962fce15ecb59eeb3d8377d6daf478199d460e3f41c41c78d43
                                        • Instruction ID: 4d335752f0065e9239dbe20d46c1bb2050e55b9ad629836e8720032208e1893d
                                        • Opcode Fuzzy Hash: ea5f71becec58962fce15ecb59eeb3d8377d6daf478199d460e3f41c41c78d43
                                        • Instruction Fuzzy Hash: 52517B7190060ACFDB21DF68C848BEEB7F4FF45318F10455AE9159B781DB74AA04CB90
                                        Function 003A2230 Relevance: 3.1, APIs: 2, Instructions: 105windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,E48E37CD,00000008,00000000), ref: 003A227B
                                        • GetLastError.KERNEL32 ref: 003A2285
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 7dcd1f07539061bf976092a30c80803714a0f6c9671e2cb346bf9d4549a6d6e2
                                        • Instruction ID: 293016e6b99d82c643cb5f6e1b339d884be6478719b95b060962c25065311246
                                        • Opcode Fuzzy Hash: 7dcd1f07539061bf976092a30c80803714a0f6c9671e2cb346bf9d4549a6d6e2
                                        • Instruction Fuzzy Hash: 28318171A002099FDB10DF9DDC45BAEBBF8EB45714F20062EF918E7380DBB599048B95
                                        Function 00300010 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(00000000,000000FC), ref: 0030007F
                                        • SetWindowLongW.USER32(00000000,000000FC,?), ref: 0030008D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID:
                                        • API String ID: 1378638983-0
                                        • Opcode ID: 7f8186651c635b5f12585092e2a9ce60c2fcae1c4b3f4e40c4eb633a77672b13
                                        • Instruction ID: f5ce36d94a501e52d460cd51597011c9e877e6c5d7205231233fcd92a20a66ab
                                        • Opcode Fuzzy Hash: 7f8186651c635b5f12585092e2a9ce60c2fcae1c4b3f4e40c4eb633a77672b13
                                        • Instruction Fuzzy Hash: 7D319C71901605EFCB15DF69C948B9AFBF4FF05324F148269E424A77D0C776AA14CB90
                                        Function 003CE610 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,E48E37CD,?,00000000,00000000,00000000,004A351D,000000FF), ref: 003CE678
                                        • FindClose.KERNEL32(00000000,?,E48E37CD,?,00000000,00000000,00000000,004A351D,000000FF), ref: 003CE6C2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 3e1c932a91fc50b0477f16893b596b5b0de31e6528c7f558737b98817b0eb7e6
                                        • Instruction ID: 410bf8205dcb15f1c7cc0e608fd0912696e5da62f30eac4a2092be256521f678
                                        • Opcode Fuzzy Hash: 3e1c932a91fc50b0477f16893b596b5b0de31e6528c7f558737b98817b0eb7e6
                                        • Instruction Fuzzy Hash: 1F2181719005499FDB10DF68CC49BAEF7B8EF44724F14466AE825972D0EB745A08CB94
                                        Function 002D52F0 Relevance: 1.9, Strings: 1, Instructions: 617COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 2
                                        • API String ID: 0-450215437
                                        • Opcode ID: d9561e64a6a71d563b0baa20c5f748bbbb5a574cb3a4a36444864dd223ce0522
                                        • Instruction ID: 8e29ffbd76d57f6964d230ad61957dadf31f4c9a9c7af3488dc0074417a1d081
                                        • Opcode Fuzzy Hash: d9561e64a6a71d563b0baa20c5f748bbbb5a574cb3a4a36444864dd223ce0522
                                        • Instruction Fuzzy Hash: 0C32B0B1A047628BCB10CF26D95056BB7E5AF94308F444E3EF5C6CB381EA74E958C792
                                        Function 0043E64C Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `&+
                                        • API String ID: 0-3639896150
                                        • Opcode ID: 0705b04ec5ca8766b435fef831862ce973736f006e6e917cd87b78ae14dcfe1c
                                        • Instruction ID: b890858b72de49242f6df5fc30b1fa03a6498cd603fa99cc7f040cd6470057e9
                                        • Opcode Fuzzy Hash: 0705b04ec5ca8766b435fef831862ce973736f006e6e917cd87b78ae14dcfe1c
                                        • Instruction Fuzzy Hash: 48E1B970A026058FCB28DF6AC480AABB7B1BF4C314F20665ED4569B3D1D738EC46CB59
                                        Function 004541E6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044D836: GetLastError.KERNEL32(?,00000008,0044F453), ref: 0044D83A
                                          • Part of subcall function 0044D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0044D8DC
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045423A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID:
                                        • API String ID: 3736152602-0
                                        • Opcode ID: be4c0d2035f9737d3c5990258faee2438188caa77338e9eb904fc6834e431514
                                        • Instruction ID: 37bf567c09738dd518fff12d5811f67d7385119d091d859548d20b0df54e9fd6
                                        • Opcode Fuzzy Hash: be4c0d2035f9737d3c5990258faee2438188caa77338e9eb904fc6834e431514
                                        • Instruction Fuzzy Hash: 4421B872510116ABDB289E26DC42A7B77A8EF84359F1040BFFD05CA282EA78DD45C658
                                        Function 00453E6D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044D836: GetLastError.KERNEL32(?,00000008,0044F453), ref: 0044D83A
                                          • Part of subcall function 0044D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0044D8DC
                                        • EnumSystemLocalesW.KERNEL32(00453F93,00000001,00000000,?,-00000050,?,004545C4,00000000,?,?,?,00000055,?), ref: 00453EDF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: 0be9cb21bf123b83910262be2db4c1a5c27976d251d00e226a5ff3176f01ea09
                                        • Instruction ID: 2213b57ee8be50a3a461e2a82fe21b68018a3b691df4c1c67ca7e615ea8fa009
                                        • Opcode Fuzzy Hash: 0be9cb21bf123b83910262be2db4c1a5c27976d251d00e226a5ff3176f01ea09
                                        • Instruction Fuzzy Hash: FC115937A043019FDB189F39C89167ABBA1FF8035AB14442EE94787B41E3757906C740
                                        Function 00454415 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044D836: GetLastError.KERNEL32(?,00000008,0044F453), ref: 0044D83A
                                          • Part of subcall function 0044D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0044D8DC
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004541AF,00000000,00000000,?), ref: 00454441
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID:
                                        • API String ID: 3736152602-0
                                        • Opcode ID: 6367b67dc74f8451312354fe962a44589ad639042af7584b0f252e62752d1893
                                        • Instruction ID: e96b026a6e1d4ae87a5531d1993312c142da8e112d0593eb30ba07b7d26ab999
                                        • Opcode Fuzzy Hash: 6367b67dc74f8451312354fe962a44589ad639042af7584b0f252e62752d1893
                                        • Instruction Fuzzy Hash: 6DF07D329401117BDB245B25CC057BB3768EB8175DF05442AED55A7241EB3CFE87C6A4
                                        Function 00453D7B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044D836: GetLastError.KERNEL32(?,00000008,0044F453), ref: 0044D83A
                                          • Part of subcall function 0044D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0044D8DC
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00453DCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID: utf8
                                        • API String ID: 3736152602-905460609
                                        • Opcode ID: 817269a0374961658a91cfdccaf92d2a9ad6b6be03e54d036ee3707be36d7445
                                        • Instruction ID: 8153a1e4bde24b3eef1e2c001dcc3e42c66716cd4f1dd1a291b2260841ee23a3
                                        • Opcode Fuzzy Hash: 817269a0374961658a91cfdccaf92d2a9ad6b6be03e54d036ee3707be36d7445
                                        • Instruction Fuzzy Hash: 76F02832A00105ABD724AF39DC4AABA73ECDB44355F00407EBA06D7381EE78AD0A8754
                                        Function 00453F08 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044D836: GetLastError.KERNEL32(?,00000008,0044F453), ref: 0044D83A
                                          • Part of subcall function 0044D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0044D8DC
                                        • EnumSystemLocalesW.KERNEL32(004541E6,00000001,?,?,-00000050,?,00454588,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00453F52
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: 02a8e4d2505d6769cad38914a68b6bb99d253172622f8bfb3e43eb83f8ff9e30
                                        • Instruction ID: 06ac7fec3f7140ef63ffa8a403700c10f3a67337d4d6838b856062d86dc4d97b
                                        • Opcode Fuzzy Hash: 02a8e4d2505d6769cad38914a68b6bb99d253172622f8bfb3e43eb83f8ff9e30
                                        • Instruction Fuzzy Hash: CBF046376003046FDB249F399C81A7A7BA4FF807AAF04402EFD058B681D6B99D42C604
                                        Function 0044FC09 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044A89A: EnterCriticalSection.KERNEL32(-00545108,?,0044CE16,002A9F56,00539668,0000000C,0044D0E1,?), ref: 0044A8A9
                                        • EnumSystemLocalesW.KERNEL32(0044FBFC,00000001,005397A8,0000000C,0045002B,00000000), ref: 0044FC41
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: 2e8c9e69976236189af4d30845d7416e39e351642a6872538feea0a9596303aa
                                        • Instruction ID: 8e084552d363fb47ae1fac8f2ec6eef4254b7fd5c58ff3f990cd72e4d43ec438
                                        • Opcode Fuzzy Hash: 2e8c9e69976236189af4d30845d7416e39e351642a6872538feea0a9596303aa
                                        • Instruction Fuzzy Hash: DEF04F76A40204DFE704EFA9E842B9C77F0FB05725F10416BF404DB2E1DB7959459B54
                                        Function 00453E22 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044D836: GetLastError.KERNEL32(?,00000008,0044F453), ref: 0044D83A
                                          • Part of subcall function 0044D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0044D8DC
                                        • EnumSystemLocalesW.KERNEL32(00453D7B,00000001,?,?,?,004545E6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00453E59
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: 4033d3b44b77c58949dffc04550df0595d66554acb2b16eb73e467e6132e1150
                                        • Instruction ID: a11c944ea8df005f0808e7f7ace1c56a3237d4b4ba4a6d08bed4ea1516e963ac
                                        • Opcode Fuzzy Hash: 4033d3b44b77c58949dffc04550df0595d66554acb2b16eb73e467e6132e1150
                                        • Instruction Fuzzy Hash: 39F0553670020557CB04AF3AD84676ABFA4EFC1796F0A005EEE098B252C63A9947C754
                                        Function 002C15F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,002BFD16,?,?,?,?,?,?,?,?,002BFB78,?,?), ref: 002C1640
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: NtdllProc_Window
                                        • String ID:
                                        • API String ID: 4255912815-0
                                        • Opcode ID: 40db40636491084975f960613d21d38d9019fb0e9f0d23c73f6415d5318ac4af
                                        • Instruction ID: 35a35a4b1a09af4c36126b3c6a7f97f359148c5baecfa3209ba01820976703e6
                                        • Opcode Fuzzy Hash: 40db40636491084975f960613d21d38d9019fb0e9f0d23c73f6415d5318ac4af
                                        • Instruction Fuzzy Hash: D6F03474014182DAE7008F14D89AF69BBAAFB47346F6C46F9E19885462C339CA78DE10
                                        Function 00450186 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00449F14,?,20001004,00000000,00000002,?,?,00449516), ref: 004501BA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 7537b5b8685fe636db020b5d555bdb104d0d2db13df52a42206c48cdffc3e926
                                        • Instruction ID: ae5dcd2777061bd645a1502862b41300f90be9bfe5ad79b6cc98b68cdcf92360
                                        • Opcode Fuzzy Hash: 7537b5b8685fe636db020b5d555bdb104d0d2db13df52a42206c48cdffc3e926
                                        • Instruction Fuzzy Hash: 56E04F35501518BBCF122F61DC05AAE7E29FF44751F00412AFD0565222CB368921EAD9
                                        Function 002F6EE0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1
                                        • API String ID: 0-2212294583
                                        • Opcode ID: 88b973a663ae5f8e1658e7aae917f832a5030b96f90c282c64da9bfbf5a8c8e5
                                        • Instruction ID: 33129385f6370281f3b058daeb3aa05f60f55f65e396c64f8d4691f6ac7ec977
                                        • Opcode Fuzzy Hash: 88b973a663ae5f8e1658e7aae917f832a5030b96f90c282c64da9bfbf5a8c8e5
                                        • Instruction Fuzzy Hash: 17D123B0901B8AEFE749CF64C55878AFBF4BF05308F14825DD4685B281D3BAA618CBD1
                                        Function 00347F20 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {L
                                        • API String ID: 0-1469069594
                                        • Opcode ID: fdf94f0775ce67cfe98d88220695568798d1f017f42e4eb2c908cdc992de85b3
                                        • Instruction ID: 2f72cd5baf374dbef97d32747a641303f946021a6a33293bd6f37bb814c274fe
                                        • Opcode Fuzzy Hash: fdf94f0775ce67cfe98d88220695568798d1f017f42e4eb2c908cdc992de85b3
                                        • Instruction Fuzzy Hash: 5F41F7B0905745EED704CF69C51878AFBF0BB09318F10865EC4589B781D3BAA619CFD5
                                        Function 002B8720 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `VL
                                        • API String ID: 0-605939035
                                        • Opcode ID: 6fc07e64245b133664ad03991d03b65b5e6ab02620ba9013c3e0995e97648524
                                        • Instruction ID: 1e3e146324b95ee4f6c2c7db4e4ca740d3075c4ee83818e2bb90a63e8a2a7534
                                        • Opcode Fuzzy Hash: 6fc07e64245b133664ad03991d03b65b5e6ab02620ba9013c3e0995e97648524
                                        • Instruction Fuzzy Hash: 0431CFB0405B84CEE721CF29C55878BBFF0BB15718F108A4DD4A64BB91D3BAA548CF91
                                        Function 0037B7A0 Relevance: .5, Instructions: 513COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1aab5b5333348179645d9ad4a4ff604e9f191f47d66afd00b9194913baa56a06
                                        • Instruction ID: bbe5084b89a90bebfca8e71792f4228a86ae35dfaa535c4afb5390e41dba125f
                                        • Opcode Fuzzy Hash: 1aab5b5333348179645d9ad4a4ff604e9f191f47d66afd00b9194913baa56a06
                                        • Instruction Fuzzy Hash: 14020872E002059FCB29DF68C881BAEF7B5EB59314F15822EE819D7391E734AD04CB91
                                        Function 0043E2BE Relevance: .3, Instructions: 344COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 674d362d59339a1e37758a0b0c3e29b05e532d1f67931a5b2a4b84f6c7ec0208
                                        • Instruction ID: a95e1281cc041099c9a1eff8426bebbd0caadbf26210de10e09d6ebc7dba8fe0
                                        • Opcode Fuzzy Hash: 674d362d59339a1e37758a0b0c3e29b05e532d1f67931a5b2a4b84f6c7ec0208
                                        • Instruction Fuzzy Hash: 6CC1DF30902646CFCB24CE6AC48066FB7A1AB1D318F64661FD892973D2D739EC46CB59
                                        Function 002AF7C0 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 716995e39b52f0425e30decb5e7c56b4dc977b3e393c6ac8a9bb09aa8fcb9551
                                        • Instruction ID: 880fa2632bc01989ac5d30416ea8bd6eedc884a9fc1abe64cba8b786ac3f6363
                                        • Opcode Fuzzy Hash: 716995e39b52f0425e30decb5e7c56b4dc977b3e393c6ac8a9bb09aa8fcb9551
                                        • Instruction Fuzzy Hash: 3271E8B0805B48DFE761CF68C95478ABFF0BB09314F108A5EC4A99B391D3B96648DF91
                                        Function 00396BF0 Relevance: .1, Instructions: 57COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fba1932744c78b5263ead70bcc6989d81ec1f93e884d4006cf6bbf5e353cef37
                                        • Instruction ID: 8942347741e17c5135b53d8ffcb1dff06039bc21b7941d7ccf80d07f9ad14deb
                                        • Opcode Fuzzy Hash: fba1932744c78b5263ead70bcc6989d81ec1f93e884d4006cf6bbf5e353cef37
                                        • Instruction Fuzzy Hash: 1101C0B2A056466BEF228E569C82B63BBDCDB19360F04013AFC4583281EB35D80486A4
                                        Function 002B2250 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6db90538effc4f463ad807d62faf7dc2b83bd5abfff3b0ad44c28b3bdbdcef78
                                        • Instruction ID: b2738cc961e3a79f4e19d71b50d3316f310a40ddb624f90e6138e6a0cade4440
                                        • Opcode Fuzzy Hash: 6db90538effc4f463ad807d62faf7dc2b83bd5abfff3b0ad44c28b3bdbdcef78
                                        • Instruction Fuzzy Hash: 6E2158B0804788CFD710CF58C944B8ABBF4FB19324F1186AED4559B791E3B9AA48CF94
                                        Function 002B1C90 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9fc8e6fb70453dda7604cdc666e69c15ad1227c6ba0795378497da1575ac9949
                                        • Instruction ID: 1e7b7a33382a8e71aca39ce7433535d25d766bfeea6f9be9cb09d768b16fde69
                                        • Opcode Fuzzy Hash: 9fc8e6fb70453dda7604cdc666e69c15ad1227c6ba0795378497da1575ac9949
                                        • Instruction Fuzzy Hash: 74216DB4804788DFD710CF58C944B8ABBF4FB19314F1186AED455AB791E3B9AA48CF90
                                        Function 002CD320 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d45719f69723dd870886a800345e069ec0a51cfde85f7530f04f0d9e140047bc
                                        • Instruction ID: b42494b38b08cdfc9fba0b53d71b7b5fb17c607414f60601f011838e16d90578
                                        • Opcode Fuzzy Hash: d45719f69723dd870886a800345e069ec0a51cfde85f7530f04f0d9e140047bc
                                        • Instruction Fuzzy Hash: 0411EDB5904248DFCB44CF58C545749BBF4FB09728F20829EE8189B781D37B9A06DF84
                                        Function 0045783E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                        • Instruction ID: a7e860b50278bf20a3605196130f68172e6c02a614f500d0ed3a1013d55bb1fa
                                        • Opcode Fuzzy Hash: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                        • Instruction Fuzzy Hash: DEE08C32915228EBCB14EBDAD948D8AF3ECEB45B05B1104ABF901D3201C274DE04C7D4
                                        Function 0044C66D Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
                                        • Instruction ID: f6e12d9a91c7e3bd3bd09be48b1adf329f243a3ce659ad378327b9805720df47
                                        • Opcode Fuzzy Hash: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
                                        • Instruction Fuzzy Hash: 85C08C74003D0057DE29992482B13A63354A3A1782F9A248EC8020BB42C51E9C8AD7A8
                                        Function 0038A2B0 Relevance: 56.2, APIs: 7, Strings: 25, Instructions: 238libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • GetModuleHandleW.KERNEL32(kernel32,E48E37CD,?,?,00000000), ref: 0038A3B3
                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0038A3FB
                                        • __Init_thread_footer.LIBCMT ref: 0038A40E
                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 0038A456
                                        • __Init_thread_footer.LIBCMT ref: 0038A469
                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0038A4B1
                                        • __Init_thread_footer.LIBCMT ref: 0038A4C4
                                          • Part of subcall function 00361FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00361FF1
                                          • Part of subcall function 00361FB0: _wcschr.LIBVCRUNTIME ref: 003620AF
                                        Strings
                                        • 0|M, xrefs: 0038A5F8
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 0038A347
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 0038A340, 0038A34F
                                        • @|M, xrefs: 0038A50A
                                        • P*M, xrefs: 0038A582
                                        • T|M, xrefs: 0038A4EC
                                        • SetDefaultDllDirectories, xrefs: 0038A4AB
                                        • H}M, xrefs: 0038A596
                                        • d}M, xrefs: 0038A5A0
                                        • SetSearchPathMode, xrefs: 0038A3F5
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 0038A327, 0038A32F
                                        • 0}M, xrefs: 0038A550
                                        • ~M, xrefs: 0038A653
                                        • SetDllDirectory, xrefs: 0038A450
                                        • $~M, xrefs: 0038A61B
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 0038A322
                                        • x}M, xrefs: 0038A56E
                                        • kernel32.dll, xrefs: 0038A60D
                                        • |M, xrefs: 0038A55A
                                        • T~M, xrefs: 0038A5E3
                                        • <~M, xrefs: 0038A5DC
                                        • kernel32, xrefs: 0038A3AE
                                        • 0|M, xrefs: 0038A500
                                        • x|M, xrefs: 0038A4F6
                                        • l~M, xrefs: 0038A630
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$AddressProc$DirectoryHandleHeapModuleProcessSystem_wcschr
                                        • String ID: $~M$0|M$0|M$0}M$<~M$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@|M$H}M$P*M$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$T|M$T~M$d}M$kernel32$kernel32.dll$l~M$x|M$x}M$|M$~M
                                        • API String ID: 1258094593-1623089638
                                        • Opcode ID: a1034c14bdd24db90c459fd2f733397798c063c338ded0a98e8b88479540a0a8
                                        • Instruction ID: 065241a7f4f7bb8e0884f74b96ec49ddcda88ba79e98f1d942d69b8af8d16f40
                                        • Opcode Fuzzy Hash: a1034c14bdd24db90c459fd2f733397798c063c338ded0a98e8b88479540a0a8
                                        • Instruction Fuzzy Hash: BDA15BB09043189FDB20DF55D859B9EBBB4FB02718F50819FE4186B381E7B85948CF9A
                                        Function 003E2F90 Relevance: 51.2, APIs: 26, Strings: 3, Instructions: 487timefilememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 003E2FA9
                                        • LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 003E2FB9
                                        • GetLastError.KERNEL32(?,00000000), ref: 003E2FF7
                                        • LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 003E3036
                                        • GetLastError.KERNEL32(?,00000000), ref: 003E3050
                                        • LocalFree.KERNEL32(?,?,00000000), ref: 003E3061
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,E48E37CD,774CF530,?,?), ref: 003E3100
                                        • GetLastError.KERNEL32 ref: 003E311E
                                        • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 003E314B
                                        • GetLastError.KERNEL32 ref: 003E3155
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 003E31DA
                                        • GetLastError.KERNEL32 ref: 003E31E4
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 003E321C
                                        • SystemTimeToFileTime.KERNEL32(00000000,004C341C), ref: 003E323D
                                        • CompareFileTime.KERNEL32(004C341C,?), ref: 003E324F
                                        • PathFileExistsW.SHLWAPI(?,00000005), ref: 003E32EC
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,00000001,S-1-1-0,10000000,00000001), ref: 003E3387
                                        • GetLastError.KERNEL32 ref: 003E3397
                                        • CloseHandle.KERNEL32(00000000), ref: 003E339F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: FileTime$ErrorLast$Local$FreeSystem$Create$AllocCloseCompareExistsHandlePath
                                        • String ID: .part$S-1-1-0$S-1-5-18
                                        • API String ID: 1123205858-2727065896
                                        • Opcode ID: 8caf83891f3c7b930fa95f16ef10171e80708dbfe1c4e0bdf4d0be758c4e3656
                                        • Instruction ID: 74f47bc4f173e5e129e5570a3350d1d0d359d2f5eaa5403c9ccb2390cb6e5563
                                        • Opcode Fuzzy Hash: 8caf83891f3c7b930fa95f16ef10171e80708dbfe1c4e0bdf4d0be758c4e3656
                                        • Instruction Fuzzy Hash: 57127B70A007949FDB22DF6AC848BAABBF4BF44304F15462DE546976E0DBB0EA44CF51
                                        Function 003ADB40 Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                        • OutputDebugStringW.KERNEL32(?,E48E37CD,?,?,?,0049C4C5,000000FF,?,003E04CF,?,?,?,00000000), ref: 003ADCD8
                                        • GetActiveWindow.USER32 ref: 003ADC3A
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$ActiveDebugHeapOutputProcessStringWindow
                                        • String ID: "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ %s $ AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ MSINEWINSTANCE=1 $ REINSTALL=ALL REINSTALLMODE=vomus $ TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1$ TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 $ TRANSFORMS=:%s.mst MSINEWINSTANCE=1 $.msi$.mst$T`T$majorupgrade-content.mst$|3L$|3L$bT
                                        • API String ID: 758407959-2942436244
                                        • Opcode ID: ae711d88230327bf4a3985d8f94aa7d578a18b12816edb8758060a13e80a9de2
                                        • Instruction ID: 8bc97dcd2ad3b5d0a92ee1cb93f605e71b2946d3edbdd7543cd4dbb94de259b5
                                        • Opcode Fuzzy Hash: ae711d88230327bf4a3985d8f94aa7d578a18b12816edb8758060a13e80a9de2
                                        • Instruction Fuzzy Hash: 9F51CE75A002059FDB15DB6CC8497AEBBF4EF46324F1582A9E8169B291DB309D04CFA1
                                        Function 003D4B10 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 335COMMON
                                        Download Yara Rule
                                        Strings
                                        • ps1, xrefs: 003D4BB6, 003D4BC8, 003D4BD2
                                        • Unable to retrieve PowerShell output from file: , xrefs: 003D4E6F
                                        • Unable to get a temp file for script output, temp path: , xrefs: 003D4C1F
                                        • txt, xrefs: 003D4BE3
                                        • powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 003D4C6F
                                        • Unable to find file , xrefs: 003D4B43
                                        • Unable to create process: , xrefs: 003D4D15
                                        • Unable to retrieve exit code from process., xrefs: 003D4E92
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
                                        • API String ID: 0-4129021124
                                        • Opcode ID: 0f2561f19779dd982f1e978a2dfec1e6803f4df1e6b2291d0b05002d483b4072
                                        • Instruction ID: e555946293e048f8e46ac3142bd2b9bc116ea589640eae20897819f7f1c0f396
                                        • Opcode Fuzzy Hash: 0f2561f19779dd982f1e978a2dfec1e6803f4df1e6b2291d0b05002d483b4072
                                        • Instruction Fuzzy Hash: 91C1CF71D01649EFDB11DFA8DD05BAEBBB8BF05314F20825AF414AB291DB74AA44CF90
                                        Function 002AF5F0 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00546250,E48E37CD,00000000,?,?,?,?,?,?,P*,0045F68D,000000FF), ref: 002AF62D
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 002AF6A8
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 002AF74E
                                        • LeaveCriticalSection.KERNEL32(00546250), ref: 002AF7A3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalCursorLoadSection$EnterLeave
                                        • String ID: cw$0$AtlAxWin140$AtlAxWinLic140$PbT$P*$WM_ATLGETCONTROL$WM_ATLGETHOST$f.C$lbT$lbT$p.C
                                        • API String ID: 3727441302-1407494585
                                        • Opcode ID: 9ba2d6931ff2c79fd98801b8698c6a15886da19ce320c5682a470b4812b125fe
                                        • Instruction ID: e0d86904920c430da3f03ad54d2b74773e69b442f6bc1b1540d0ed17c527f97b
                                        • Opcode Fuzzy Hash: 9ba2d6931ff2c79fd98801b8698c6a15886da19ce320c5682a470b4812b125fe
                                        • Instruction Fuzzy Hash: 89513CB8C11319AFCB51DF94D944BDEBFF8BB09718F10412AE404B7290DBB955098FA4
                                        Function 002B16D0 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 359stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$LongParentlstrcmp
                                        • String ID: #32770$L4C
                                        • API String ID: 4031819654-1073857517
                                        • Opcode ID: c417ae4c4dd2979e0511a7a9a6297db811cab755b17040663bd71abced4d9cbb
                                        • Instruction ID: dd66144f5ad94a467a31f63ef765a59d34aa18e8a4a5bfbe083a5b2094083e12
                                        • Opcode Fuzzy Hash: c417ae4c4dd2979e0511a7a9a6297db811cab755b17040663bd71abced4d9cbb
                                        • Instruction Fuzzy Hash: C1E1AD74A1120AEFDB14CFA4C858BEEBBB5FF09354F548159E801AB290DB74AD64CF60
                                        Function 003A9E90 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 212COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000001F6), ref: 003A9EDE
                                        • GetDlgItem.USER32(?,000001F8), ref: 003A9EEB
                                        • GetDlgItem.USER32(?,000001F7), ref: 003A9F38
                                        • SetWindowTextW.USER32(00000000,00000000), ref: 003A9F47
                                        • ShowWindow.USER32(?,00000005), ref: 003A9F67
                                          • Part of subcall function 003A93B0: GetWindowLongW.USER32(?,000000F0), ref: 003A93EF
                                          • Part of subcall function 003A93B0: GetWindowLongW.USER32(?,000000F0), ref: 003A9400
                                          • Part of subcall function 003A93B0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A9412
                                          • Part of subcall function 003A93B0: GetWindowLongW.USER32(?,000000EC), ref: 003A9425
                                          • Part of subcall function 003A93B0: SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A9434
                                          • Part of subcall function 003A93B0: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 003A9448
                                          • Part of subcall function 003A93B0: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003A9457
                                        • GetDlgItem.USER32(?,000001F7), ref: 003A9F86
                                        • SetWindowTextW.USER32(00000000,00000000), ref: 003A9F95
                                        • ShowWindow.USER32(?,00000000), ref: 003A9FB5
                                        • ShowWindow.USER32(?,00000000), ref: 003A9FBC
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 003AA005
                                        • GetDlgItem.USER32(00000000,00000000), ref: 003AA039
                                        • IsWindow.USER32(00000000), ref: 003AA043
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,00000616), ref: 003AA090
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$ItemLong$Show$MessageSendText
                                        • String ID: Details <<$Details >>
                                        • API String ID: 1573988680-3763984547
                                        • Opcode ID: a489654c9d3eb707eaf3da083139643d4a48c9379b59f6251f6db3d130af4112
                                        • Instruction ID: 294a166ee244e9ccd134b32fd15969ecf89e5a9af7e8cf75a06b09fb1dee741f
                                        • Opcode Fuzzy Hash: a489654c9d3eb707eaf3da083139643d4a48c9379b59f6251f6db3d130af4112
                                        • Instruction Fuzzy Hash: F171CB72900608ABDF25DFA8DC46BAEFBF4EF59704F20861DE401A72A0DB71A845DF50
                                        Function 002D2860 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 404memorysynchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • CreateThread.KERNEL32(00000000,00000000,002D29B0,004C7458,00000000,?), ref: 002D292A
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 002D2943
                                        • CloseHandle.KERNEL32(00000000), ref: 002D2959
                                        • CoInitializeEx.COMBASE(00000000,00000000), ref: 002D2A09
                                        • GetProcessHeap.KERNEL32(?,00000000), ref: 002D2B0B
                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 002D2B11
                                        • GetProcessHeap.KERNEL32(?,00000000), ref: 002D2B90
                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 002D2B96
                                        • CoUninitialize.COMBASE ref: 002D2CEA
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 002D2D6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$Process$FreeInit_thread_footer$CloseConcurrency::cancel_current_taskCreateHandleInitializeObjectSingleThreadUninitializeWait
                                        • String ID: $tL$XtL$|3L$|3L
                                        • API String ID: 1779960141-2943586925
                                        • Opcode ID: 714d86a90f0cbf1bf56f67660c5ad60fd42c1bde2fd7d98ee47fba857643a4d9
                                        • Instruction ID: c934d65b00c5328f2bde0fed9a530158f021ad549211f23d88f544759004a37c
                                        • Opcode Fuzzy Hash: 714d86a90f0cbf1bf56f67660c5ad60fd42c1bde2fd7d98ee47fba857643a4d9
                                        • Instruction Fuzzy Hash: 6AF16C70D10249DFDB14CFA8C945BEEBBB8EF54304F24815AE815AB391DB749E48CBA1
                                        Function 003E2A10 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 390libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(Advapi32.dll,E48E37CD,00000000,00000000), ref: 003E2AA1
                                        • GetLastError.KERNEL32 ref: 003E2ACF
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                        • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 003E2AE5
                                        • FreeLibrary.KERNEL32(00000000), ref: 003E2AFE
                                        • GetLastError.KERNEL32 ref: 003E2B0B
                                        • GetLastError.KERNEL32 ref: 003E2CF9
                                        • GetLastError.KERNEL32 ref: 003E2D5E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
                                        • String ID: ,(M$Advapi32.dll$ConvertStringSidToSidW
                                        • API String ID: 3460774402-317402887
                                        • Opcode ID: 9682417a43f03c5a78d22a67eee0105e79e87b8d881f6f982e7a74846fcf96cd
                                        • Instruction ID: 32a42aee424ae3086f0586b127903387312748b5eb9f9c505ad8caa7d1c320c4
                                        • Opcode Fuzzy Hash: 9682417a43f03c5a78d22a67eee0105e79e87b8d881f6f982e7a74846fcf96cd
                                        • Instruction Fuzzy Hash: 49F1ADB1C0125AABDF01DF95C944BEEBBB8FF08314F218219E914B7280D774AA45CBA5
                                        Function 002DD6E0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 246libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,E48E37CD,?,?,00000000,?,?,?,?,?,?,E48E37CD,00468E95,000000FF), ref: 002DD74D
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 002DD753
                                        • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,E48E37CD,00468E95,000000FF,?,002F45FA,004CB84C,E48E37CD,E48E37CD), ref: 002DD783
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 002DD789
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$|3L
                                        • API String ID: 2574300362-1837049438
                                        • Opcode ID: 0d34914e36183910fd7ac1845c39a622171b3510cc0b860a4c353f37c6fd4350
                                        • Instruction ID: f142aeb54a3a39350bd04cf5db779681772b602694a5b6c8fc2d383f2119ca97
                                        • Opcode Fuzzy Hash: 0d34914e36183910fd7ac1845c39a622171b3510cc0b860a4c353f37c6fd4350
                                        • Instruction Fuzzy Hash: 75A1AD7192060AEFDF15DFA9C895BEDBBB4EF08314F24402AE411E7291DBB49E19CB50
                                        Function 003A8440 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 223threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(0054611C,E48E37CD,?,?,00000000,?,?,?,?,?,00000000,0049B407,000000FF), ref: 003A84B3
                                        • EnterCriticalSection.KERNEL32(?,E48E37CD,?,?,00000000,?,?,?,?,?,00000000,0049B407,000000FF), ref: 003A84C5
                                        • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,0049B407,000000FF), ref: 003A84D2
                                        • GetCurrentThread.KERNEL32 ref: 003A84DD
                                        • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,00000000,?,004C337C,00000000,?,?,?,?,?,00000000,0049B407,000000FF), ref: 003A86BE
                                        • LeaveCriticalSection.KERNEL32(?,004C337C,00000000,?,?,?,?,?,00000000,0049B407,000000FF), ref: 003A879A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
                                        • String ID: *** Stack Trace (x86) ***$ cw$4aT$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix] ${tC
                                        • API String ID: 3051236879-3119634080
                                        • Opcode ID: a826d207ae59db2c6e43abc55fab92b78bdf0691ff016ee1955dd4b3e420244b
                                        • Instruction ID: 515762e217dcb6ad89f0af4e95c799c7926e9dc2a843654541d816976f8a1571
                                        • Opcode Fuzzy Hash: a826d207ae59db2c6e43abc55fab92b78bdf0691ff016ee1955dd4b3e420244b
                                        • Instruction Fuzzy Hash: AFA18A709002889FDF26DFA4CC45BEE7BA8FF06308F104129E909AB291DBB55B08CF55
                                        Function 002D3400 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 222libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,E48E37CD,?,?,?,?,?,?,?,E48E37CD,004664A5,000000FF,?,002D371A,004C74D0), ref: 002D3467
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 002D346D
                                        • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,E48E37CD,004664A5,000000FF,?,002D371A,004C74D0,E48E37CD,E48E37CD), ref: 002D349E
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 002D34A4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$|3L
                                        • API String ID: 2574300362-1837049438
                                        • Opcode ID: bd472b4367a855be950555b0beb9cc0e51c89447f00d5dbc444a6fe42e82b4df
                                        • Instruction ID: d779c5c2f7cfd98a0e942b939517f376f786e81f4ef21a5898fd8c41e81a37c1
                                        • Opcode Fuzzy Hash: bd472b4367a855be950555b0beb9cc0e51c89447f00d5dbc444a6fe42e82b4df
                                        • Instruction Fuzzy Hash: CA81A070910209EFDB15DFA8D885BEEBBB4EF08314F14412AE411B7391DBB49E58CBA5
                                        Function 003D74C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(00546054,E48E37CD,?,00000010), ref: 003D74FC
                                          • Part of subcall function 002A9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002B69F0,-00000010,?,002BAA9D,*.*), ref: 002A93B7
                                        • EnterCriticalSection.KERNEL32(00000010,E48E37CD,?,00000010), ref: 003D7509
                                        • WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 003D753B
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 003D7544
                                        • WriteFile.KERNEL32(00000000,003C3C07,6054B9EC,004A500D,00000000,004C334C,00000001,?,?,000000FF,00000000), ref: 003D75C6
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 003D75CF
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 003D7605
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 003D760E
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,004C58A8,00000002,?,?,?,00000000,?,?,000000FF,00000000), ref: 003D766F
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 003D7678
                                        • LeaveCriticalSection.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 003D76A8
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushWrite$CriticalSection$AllocateEnterFindHeapInitializeLeaveResource
                                        • String ID: cw$L3L
                                        • API String ID: 201293332-527411866
                                        • Opcode ID: 438fa2c2e4dbef36781773c3aee92a7de60e7135391495df5c1e3a029de0789d
                                        • Instruction ID: 94d5096c8e64212c42f5ad2539b7a647de28e2784e155231c639e285466a9c09
                                        • Opcode Fuzzy Hash: 438fa2c2e4dbef36781773c3aee92a7de60e7135391495df5c1e3a029de0789d
                                        • Instruction Fuzzy Hash: 11619D31905645AFDB01DF68DD49BAABBB8FF06314F14826AF805973A1EB309D14CFA4
                                        Function 002FA430 Relevance: 21.2, APIs: 14, Instructions: 243COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 002FA49E
                                        • SetWindowLongW.USER32(?,000000F0,00C80000), ref: 002FA4CC
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 002FA4E1
                                        • GetWindowLongW.USER32(?,000000EC), ref: 002FA518
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002FA545
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 002FA559
                                        • GetWindowLongW.USER32(?,000000F0), ref: 002FA57B
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002FA592
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 002FA5A6
                                        • GetWindowRect.USER32(?,?), ref: 002FA5F6
                                        • GetWindowLongW.USER32(?,000000EC), ref: 002FA61C
                                        • GetWindowRect.USER32(?,?), ref: 002FA66A
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000604,?,?), ref: 002FA6A0
                                        • SetWindowTextW.USER32(?,?), ref: 002FA6E1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$Rect$Text
                                        • String ID:
                                        • API String ID: 445026432-0
                                        • Opcode ID: ea5f642f7c128f946fad53edd58b187b195b424158b7a40f75d42c6798585ee4
                                        • Instruction ID: 57b95f4efc40d16e014f12dac289fb02101a2bb886db29bd992c4e5834e4d0f4
                                        • Opcode Fuzzy Hash: ea5f642f7c128f946fad53edd58b187b195b424158b7a40f75d42c6798585ee4
                                        • Instruction Fuzzy Hash: F0917E75A00609AFDF04CFA8DC45BEEBBB5FF48314F204229F526A72A4DB35A914CB50
                                        Function 003059B0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 170COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 003059F7
                                        • GetParent.USER32 ref: 00305A0D
                                        • GetWindowRect.USER32(?,?), ref: 00305A18
                                        • GetParent.USER32(?), ref: 00305A20
                                        • GetWindow.USER32(?,00000004), ref: 00305A52
                                        • GetWindowRect.USER32(?,?), ref: 00305A60
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00305A6D
                                        • MonitorFromWindow.USER32(?,00000002), ref: 00305A85
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00305A9F
                                        • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 00305B4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$LongMonitorParentRect$FromInfo
                                        • String ID: $/C
                                        • API String ID: 1820395375-1036787561
                                        • Opcode ID: 97890378fe88a0a620fc2081a53ad5f4f092465d2db6107eaf5e8b02fc9542de
                                        • Instruction ID: 45eb99033a80a3de85275996ba05faef5a7d68ac9f914665400b8d29e165a8ef
                                        • Opcode Fuzzy Hash: 97890378fe88a0a620fc2081a53ad5f4f092465d2db6107eaf5e8b02fc9542de
                                        • Instruction Fuzzy Hash: D3516D76E01519AFDF11CFA8CD45BEEBBB9EB49710F254229E815A3294DB30AD04CF90
                                        Function 003A93B0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 003A93EF
                                        • GetWindowLongW.USER32(?,000000F0), ref: 003A9400
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A9412
                                        • GetWindowLongW.USER32(?,000000EC), ref: 003A9425
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A9434
                                        • SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 003A9448
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003A9457
                                        • GetWindowRect.USER32(?,?), ref: 003A9496
                                        • GetDlgItem.USER32(?,?), ref: 003A94D2
                                        • IsWindow.USER32(00000000), ref: 003A94DD
                                        • GetWindowRect.USER32(?,?), ref: 003A94F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$MessageRectSend$Item
                                        • String ID: $/C
                                        • API String ID: 661679956-1036787561
                                        • Opcode ID: 5d3bbdaed82bba2db6c090e4cb2c310333dfae4ff9bb536efeb054233dcf1c24
                                        • Instruction ID: f1a4ff14cb7f0f41063d29e4c786fa5e6304a3b7ea3294d6bc54ab5b9b6fce6a
                                        • Opcode Fuzzy Hash: 5d3bbdaed82bba2db6c090e4cb2c310333dfae4ff9bb536efeb054233dcf1c24
                                        • Instruction Fuzzy Hash: FD41BF355047019FDB21DF69DC84B6BB7E4FF6A314F118A1EF599A2291DB30E8888F21
                                        Function 003A9D00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003A2350: LoadLibraryW.KERNEL32(ComCtl32.dll,E48E37CD,00000000,?,00000000), ref: 003A238E
                                          • Part of subcall function 003A2350: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 003A23B1
                                          • Part of subcall function 003A2350: FreeLibrary.KERNEL32(00000000), ref: 003A242F
                                        • GetDlgItem.USER32(?,000001F4), ref: 003A9D41
                                        • SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 003A9D52
                                        • MulDiv.KERNEL32(00000009,00000000), ref: 003A9D6A
                                        • GetDlgItem.USER32(?,000001F6), ref: 003A9DA4
                                        • IsWindow.USER32(00000000), ref: 003A9DAD
                                        • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 003A9DC4
                                        • GetDlgItem.USER32(?,000001F8), ref: 003A9DCE
                                        • GetWindowRect.USER32(?,?), ref: 003A9DDF
                                        • GetWindowRect.USER32(?,?), ref: 003A9DF2
                                        • GetWindowRect.USER32(00000000,?), ref: 003A9E02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$ItemRect$LibraryMessageSend$AddressFreeLoadProc
                                        • String ID: ;3C$Courier New
                                        • API String ID: 1717253393-4221049048
                                        • Opcode ID: 261864c9eee09e5b8b7a0e57a16e633757c0f3eeb7828199f9beb8cc875766b4
                                        • Instruction ID: c2e0eceda4275d61b9aa3fc1dffcf716478fc60eac2e7bb1559d129ffa4d0db3
                                        • Opcode Fuzzy Hash: 261864c9eee09e5b8b7a0e57a16e633757c0f3eeb7828199f9beb8cc875766b4
                                        • Instruction Fuzzy Hash: 7641D475BC43087BEB14AF21CC46FEE77A9EF59B08F010619FB057A1C1DAB4A8448B54
                                        Function 003CEC20 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 413registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,E48E37CD,?,?), ref: 003CEC83
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 003CEE19
                                        • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 003CEE75
                                        • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?), ref: 003CEEC5
                                        • RegCloseKey.ADVAPI32(?), ref: 003CEF05
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: OpenQueryValue$Close
                                        • String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
                                        • API String ID: 2529929805-1079072530
                                        • Opcode ID: 906de394bc1be0127f2a5adde41a363d5b9ea1b20dacd5e4e7f81aa3db6262f6
                                        • Instruction ID: 33a121aff357250567d09a8ec2e938dad532b45cb2ccabc4059d58441d179a55
                                        • Opcode Fuzzy Hash: 906de394bc1be0127f2a5adde41a363d5b9ea1b20dacd5e4e7f81aa3db6262f6
                                        • Instruction Fuzzy Hash: A6027B709012699FDB21DF28CC88BDEB7B5AF54304F1442E9E809E7291DB75AE84CF50
                                        Function 003D81B0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 302libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,E48E37CD,?,?,00546054), ref: 003D81F8
                                        • LoadLibraryW.KERNEL32(Shell32.dll,?,00546054), ref: 003D8207
                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 003D821B
                                        • SHGetPathFromIDListW.SHELL32(?,00000000), ref: 003D829A
                                        • SHGetMalloc.SHELL32(?), ref: 003D82D7
                                        • PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,?,00000000), ref: 003D832A
                                        • CreateDirectoryW.KERNEL32(?,?,Everyone,10000000,00000000,?,00000000), ref: 003D83B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Path$AddressCreateDirectoryExistsFileFolderFromLibraryListLoadLocationMallocProcSpecial
                                        • String ID: ADVINST_LOGS$Everyone$SHGetSpecialFolderPathW$Shell32.dll
                                        • API String ID: 1254244429-1733115844
                                        • Opcode ID: cc10c04c5b88ee8056b4f438075c38b3e08304b7cd7503b6ebb81cb65bfcabad
                                        • Instruction ID: 6a60bce17c8719786e1515a765786493c65a2e35c566efdc44a19dc22d1d9803
                                        • Opcode Fuzzy Hash: cc10c04c5b88ee8056b4f438075c38b3e08304b7cd7503b6ebb81cb65bfcabad
                                        • Instruction Fuzzy Hash: FBB1DC72D00609DFDB11DFA9D849BAEBBF4AF55314F25821AE411AB3A0EB746A04CF50
                                        Function 002CC7D0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,E48E37CD), ref: 002CC85C
                                          • Part of subcall function 002B0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 002B0DE6
                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 002CC95F
                                        • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 002CC973
                                        • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 002CC988
                                        • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 002CC99D
                                        • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 002CC9B4
                                        • GetWindowRect.USER32(?,?), ref: 002CC9E6
                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 002CCA48
                                        • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 002CCA58
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateLongRect
                                        • String ID: ,$tooltips_class32
                                        • API String ID: 1954517558-3856767331
                                        • Opcode ID: cbbcd334ea189b457a7c74785760386d8113550d7daef971301d198a5c99c943
                                        • Instruction ID: ca51296881fd4c8424194d50920d8c31efb72d7b32e64b8bc0a8b83da99a4d57
                                        • Opcode Fuzzy Hash: cbbcd334ea189b457a7c74785760386d8113550d7daef971301d198a5c99c943
                                        • Instruction Fuzzy Hash: 5E913B71A40208AFEB14CFA4DD95FEEBBF8FB08304F10452AE516EA290D774A914DF50
                                        Function 003A9A60 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 202COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 003A9A94
                                        • EndDialog.USER32(?,00000000), ref: 003A9B52
                                          • Part of subcall function 003A9550: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 003A9582
                                          • Part of subcall function 003A9550: GetWindowLongW.USER32(?,000000F0), ref: 003A9588
                                          • Part of subcall function 003A9550: GetDlgItem.USER32(?,?), ref: 003A95FA
                                          • Part of subcall function 003A9550: GetWindowRect.USER32(00000000,?), ref: 003A9612
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Long$DialogItemMessageRectSend
                                        • String ID: L/C$U2C
                                        • API String ID: 188208873-2968307040
                                        • Opcode ID: 2e3e3d03232698fc4dc4a986a51ef94a9acb7f9f2d97d187acd40b7ca37ca1a2
                                        • Instruction ID: a9dd7eb18eddd2d24ef31ed9901d47aba4b9641a55742781c2e16aafaf3fc072
                                        • Opcode Fuzzy Hash: 2e3e3d03232698fc4dc4a986a51ef94a9acb7f9f2d97d187acd40b7ca37ca1a2
                                        • Instruction Fuzzy Hash: 5E71BF35A006059BDB25CF68CC89BAEBBF8FB4A724F11061AE412F7AD0D774D944DB50
                                        Function 003A5310 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 492COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 003A54AE
                                        • __Init_thread_footer.LIBCMT ref: 003A5607
                                        • GetStdHandle.KERNEL32(000000F5,?,E48E37CD,?,?), ref: 003A568F
                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 003A5696
                                        • GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 003A56AA
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 003A56B1
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                        • GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,00000000,00000000,004C58A8,00000002,?,?), ref: 003A5740
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 003A5747
                                        • IsWindow.USER32(00000000), ref: 003A5960
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
                                        • String ID: Error
                                        • API String ID: 2811146417-2619118453
                                        • Opcode ID: c1eee61d2e544af6cb002bb97cfb65f57175e4fbea56b1cba0f454f5a66656b4
                                        • Instruction ID: cc06795f948bd8f6a80f3064af55d789cd11d0f38a9b264f4b3a2ec4ae5edb57
                                        • Opcode Fuzzy Hash: c1eee61d2e544af6cb002bb97cfb65f57175e4fbea56b1cba0f454f5a66656b4
                                        • Instruction Fuzzy Hash: 512238B0D10708DFDB10CFA4C845BDEBBB4EF5A318F244299E419AB291DB759A88CF51
                                        Function 003CF880 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 296libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00361FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00361FF1
                                          • Part of subcall function 00361FB0: _wcschr.LIBVCRUNTIME ref: 003620AF
                                        • GetLastError.KERNEL32(E48E37CD,?,?,?,000000FF,?,003B4196,?,?), ref: 003CF8ED
                                        • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 003CFA7A
                                        • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 003CFADE
                                        • FreeLibrary.KERNEL32(00000000,?,?,000000FF,?,003B4196,?,?), ref: 003CFBD2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AddressProc$DirectoryErrorFreeLastLibrarySystem_wcschr
                                        • String ID: ,(M$GetPackagePath$Kernel32.dll$neutral$x64$x86
                                        • API String ID: 3734293021-3400532891
                                        • Opcode ID: 4abfc2d98521adcc4dd6306a40517ac56cce219ec75488e08c130c0831fa66ea
                                        • Instruction ID: b40df37a59274ab4d2160aa8eea059d34c3c06826887f15d2ea9753546f0405a
                                        • Opcode Fuzzy Hash: 4abfc2d98521adcc4dd6306a40517ac56cce219ec75488e08c130c0831fa66ea
                                        • Instruction Fuzzy Hash: 93C14674A002099FDB04DFA9C894BAEBBB5EF09314F15826DE815EB391DB749D44CFA0
                                        Function 002B2500 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 155COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00546250,E48E37CD,00000000,0054626C), ref: 002B2573
                                        • LeaveCriticalSection.KERNEL32(00546250), ref: 002B25D7
                                        • LoadCursorW.USER32(002A0000,?), ref: 002B2630
                                        • LeaveCriticalSection.KERNEL32(00546250), ref: 002B26C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Leave$CursorEnterLoad
                                        • String ID: cw$ATL:%p$PbT$f.C$lbT$p.C
                                        • API String ID: 2080323225-2779732177
                                        • Opcode ID: 51c3128e5509ed23c79bedd3d302289eadf053f31c074c03de4a08266c7184da
                                        • Instruction ID: fcd0f325bcf94d8e98e8dd5ee756817b524373ada2601ac2b88dd890f0935caf
                                        • Opcode Fuzzy Hash: 51c3128e5509ed23c79bedd3d302289eadf053f31c074c03de4a08266c7184da
                                        • Instruction Fuzzy Hash: 9E519B74D04B45DBDB20CF69C9457AAFBF4FF19314F00861DE896A3690EB70A998CB50
                                        Function 003F2A80 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 282COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Enabled$Progress$PropertyValue$Text$TimeRemaining$Visible
                                        • API String ID: 0-2691827946
                                        • Opcode ID: 83ac30c6ef55a216e8928e34e86db8e645a6c8c5356aa21cfddde2ed00c72ffc
                                        • Instruction ID: 1e2feee5cddd3f238e15752ce39a0d308f1e16aaaabb881f65b9effaf4b9a927
                                        • Opcode Fuzzy Hash: 83ac30c6ef55a216e8928e34e86db8e645a6c8c5356aa21cfddde2ed00c72ffc
                                        • Instruction Fuzzy Hash: 42B19BB1A00349DFDB14CF48D944BAEBBB1FB55320F10826EE9259B390D7B99A10CB95
                                        Function 003CD7C0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: _wcschr
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKLM
                                        • API String ID: 2691759472-1956487666
                                        • Opcode ID: fbc92ee330ee7bc1047c44852e98fc6674a8e863639320815946426d4814d33c
                                        • Instruction ID: cfaf11b12af3802618300204ab9d917e13e504acc03c98ede4a7e96162d593f9
                                        • Opcode Fuzzy Hash: fbc92ee330ee7bc1047c44852e98fc6674a8e863639320815946426d4814d33c
                                        • Instruction Fuzzy Hash: 1A41F676E40605ABEB115B65CC02F2AB7A8EB00311F14063FBC10E26D0EB79DC10CB65
                                        Function 002C3190 Relevance: 15.3, APIs: 10, Instructions: 339memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 002C31EA
                                        • VariantClear.OLEAUT32(?), ref: 002C321C
                                        • VariantClear.OLEAUT32(?), ref: 002C3316
                                        • VariantClear.OLEAUT32(?), ref: 002C3345
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C334C
                                        • SysAllocString.OLEAUT32(00000000), ref: 002C3393
                                        • VariantClear.OLEAUT32(?), ref: 002C341A
                                        • VariantClear.OLEAUT32(?), ref: 002C344C
                                        • VariantClear.OLEAUT32(?), ref: 002C3527
                                        • VariantClear.OLEAUT32(?), ref: 002C3556
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ClearVariant$String$AllocFree
                                        • String ID:
                                        • API String ID: 1305860026-0
                                        • Opcode ID: 4f7ea667ac7896245a65531c066240b1bcd210677ce5b7f0c1156c1fbb741126
                                        • Instruction ID: cf98338a678c8b011ebfd3525e9e6c5fbe8767653a76224f94de0d2d7440c74a
                                        • Opcode Fuzzy Hash: 4f7ea667ac7896245a65531c066240b1bcd210677ce5b7f0c1156c1fbb741126
                                        • Instruction Fuzzy Hash: 0AC19B71910249DFCB10DFA8C844BDEBBB4FF09314F148669E804E7391EB78AA55CBA5
                                        Function 003D2BC0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 343synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • ResetEvent.KERNEL32(?,?,?), ref: 003D2C4A
                                        • SetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 003D2C83
                                        • ResetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 003D2E19
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000,?,?,?), ref: 003D2E4B
                                        • ResetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000), ref: 003D2F26
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 003D2F43
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 003D2F4A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Event$Reset$Init_thread_footerObjectSingleWait$HeapProcess
                                        • String ID: FTP Server
                                        • API String ID: 3860647947-688436434
                                        • Opcode ID: 00cfee93a1a5edf4395a41359bf803e23333f159c7f76b63505768f1b9ea8c75
                                        • Instruction ID: 0813760a427d9b1d645276faf0828d47fc7a9d48693521280f86331c2bbd9642
                                        • Opcode Fuzzy Hash: 00cfee93a1a5edf4395a41359bf803e23333f159c7f76b63505768f1b9ea8c75
                                        • Instruction Fuzzy Hash: 48D18E31A00249DFDB02DF68C988B9EBBB9FF59314F15825AE814AB391DB74DD44CB90
                                        Function 00389FD0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 232fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?), ref: 0038A069
                                        • CloseHandle.KERNEL32(00000000), ref: 0038A090
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                          • Part of subcall function 0038BC00: FindResourceW.KERNEL32(00000000,00000001,00000006,?,00000000,?,?,80070057,E48E37CD,?,?,00000000,0045D670,000000FF,?,003D338D), ref: 0038BC3D
                                          • Part of subcall function 0038BC00: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 0038BC6E
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?), ref: 0038A105
                                        • CloseHandle.KERNEL32(00000000), ref: 0038A157
                                          • Part of subcall function 0038BA20: WideCharToMultiByte.KERNEL32(00000003,00000000,003B3DCA,000000FF,00000000,00000000,00000000,00000000,?,?,?,003B3DCA,?,?), ref: 0038BA3C
                                          • Part of subcall function 0038BA20: WideCharToMultiByte.KERNEL32(00000003,00000000,003B3DCA,000000FF,?,-00000001,00000000,00000000,?,?,?,003B3DCA,?,?), ref: 0038BA73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$CloseFileHandleInit_thread_footer$CreateFindHeapProcessResourceWrite
                                        • String ID: .bat$EXE$open$3C
                                        • API String ID: 4275363648-1225271249
                                        • Opcode ID: d9930475206097a38b134b153bcc937bcad06978c9994183f3ee435aa74bd27e
                                        • Instruction ID: 778a0991505170af012aba2fd62ee5e99d0e238aed0a241ec4bea30e892f32c8
                                        • Opcode Fuzzy Hash: d9930475206097a38b134b153bcc937bcad06978c9994183f3ee435aa74bd27e
                                        • Instruction Fuzzy Hash: A4A15A70901648EFEB11DFA8CD48B8DFBB4BF45314F24829AE414AB291DB749D48CF51
                                        Function 002CB720 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 218windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000C5,?,00000000), ref: 002CB771
                                        • SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 002CB7D5
                                        • lstrcpynW.KERNEL32(?,?,00000020), ref: 002CB847
                                        • MulDiv.KERNEL32(?,00000048,00000000), ref: 002CB884
                                        • SendMessageW.USER32(?,00000444,00000000,00000074), ref: 002CB8B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrcpyn
                                        • String ID: ?$U2C$t
                                        • API String ID: 3928028829-569858670
                                        • Opcode ID: 3494d21194c5fa97d5f4a12a033a76b06935c3445f833e2366056f10f712bc5f
                                        • Instruction ID: 8d6ae3bc590a5516d663b408535a5327eab286fc5c3b7e9a54aeae3c6b596761
                                        • Opcode Fuzzy Hash: 3494d21194c5fa97d5f4a12a033a76b06935c3445f833e2366056f10f712bc5f
                                        • Instruction Fuzzy Hash: CB919F71618340AFE721DF64CC45F9ABBE8AF89304F004A2EF699D71A0EB74A544CF56
                                        Function 003D4900 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 178fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                          • Part of subcall function 002A9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002B69F0,-00000010,?,002BAA9D,*.*), ref: 002A93B7
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,ps1,ps1,00000003,?,003B4998), ref: 003D49F3
                                        • WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 003D4A37
                                        • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 003D4A54
                                        • CloseHandle.KERNEL32(00000000), ref: 003D4A6E
                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 003D4AAD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$CloseHandleInit_thread_footerWrite$CreateFindHeapProcessResource
                                        • String ID: Unable to get temp file $Unable to save script file $ps1
                                        • API String ID: 2821137686-4253966538
                                        • Opcode ID: 4136b1e46e9f5bab8b0298522e13b94ddf523e70be16f8e9d44618db6164f781
                                        • Instruction ID: 18dda12a45b5a7dd802e63f7a181230ca941a22646a7f27eeda9ea5d16680c3c
                                        • Opcode Fuzzy Hash: 4136b1e46e9f5bab8b0298522e13b94ddf523e70be16f8e9d44618db6164f781
                                        • Instruction Fuzzy Hash: 4751D771A40609EFDB11DF68CD45BAEBBB8EF05314F14825AE510AB3D1D7749D04CBA8
                                        Function 003A9550 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 003A9582
                                        • GetWindowLongW.USER32(?,000000F0), ref: 003A9588
                                        • GetDlgItem.USER32(?,?), ref: 003A95FA
                                        • GetWindowRect.USER32(00000000,?), ref: 003A9612
                                        • SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 003A969F
                                        • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 003A96D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$ItemLongRect
                                        • String ID: $/C$L/C
                                        • API String ID: 3432912040-3828232961
                                        • Opcode ID: ec17e39a880a6e74300d558c5d5c4be7c999c86c558409b21d8dcc2a466997c5
                                        • Instruction ID: b272b91098eaebc9aebb0fb343fd62e1c4050f48ed43f6d8b6912f3e07592f32
                                        • Opcode Fuzzy Hash: ec17e39a880a6e74300d558c5d5c4be7c999c86c558409b21d8dcc2a466997c5
                                        • Instruction Fuzzy Hash: 99518B30204300DFDB25CF28C989B2ABBE1FF8A718F154A1EF585AB2A5D771E844CB55
                                        Function 003C3C80 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDefaultLangID.KERNEL32 ref: 003C3CBE
                                        • GetUserDefaultLangID.KERNEL32 ref: 003C3CCB
                                        • LoadLibraryW.KERNEL32(kernel32.dll), ref: 003C3CDD
                                        • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 003C3CF1
                                        • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 003C3D06
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AddressDefaultLangProc$LibraryLoadSystemUser
                                        • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
                                        • API String ID: 667524283-3528650308
                                        • Opcode ID: 0c573c7e2bd6bcc9b69a8f40afbd965cfa0be521beffae8667afa6c5c6c5ceba
                                        • Instruction ID: 00cf85bffd01059d798aa69350d2fd3d5b110764253350a0a0635203b1062345
                                        • Opcode Fuzzy Hash: 0c573c7e2bd6bcc9b69a8f40afbd965cfa0be521beffae8667afa6c5c6c5ceba
                                        • Instruction Fuzzy Hash: C041B1716083019BC745EF28D854BBAB7E1AFA8345F52592EF886C7280DB359E44CB52
                                        Function 002B6C00 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 148fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 002B6CEF
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 002B6D43
                                        • CloseHandle.KERNEL32(00000000), ref: 002B6D92
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                        • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 002B6DF6
                                        • CloseHandle.KERNEL32(00000000,?), ref: 002B6E1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
                                        • String ID: aix$html$|bT
                                        • API String ID: 2030708724-1674552349
                                        • Opcode ID: bd6e3744dd0fe04900a6285b097be6a843bc79db596c15d38bd544f6c3a3b752
                                        • Instruction ID: 589e0118561f16c55006fce1baeaead304e5d88a4f921853d36d9c0b31c42565
                                        • Opcode Fuzzy Hash: bd6e3744dd0fe04900a6285b097be6a843bc79db596c15d38bd544f6c3a3b752
                                        • Instruction Fuzzy Hash: 5F516FB8904248EFDB10DFA4DC59BDEBBB4FB16308F10416DE401AB291D7F95A08DB66
                                        Function 00439810 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00439847
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0043984F
                                        • _ValidateLocalCookies.LIBCMT ref: 004398D8
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00439903
                                        • _ValidateLocalCookies.LIBCMT ref: 00439958
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0043996E
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00439983
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                        • String ID: csm
                                        • API String ID: 1385549066-1018135373
                                        • Opcode ID: 16aced292b0c93de703a69703a86e70a20d787c466c61af78fd9b7dfc45b4971
                                        • Instruction ID: a95ad915443bc6e1f31b919d7ed06df686f627914754e4e43bd16626be4ef8bd
                                        • Opcode Fuzzy Hash: 16aced292b0c93de703a69703a86e70a20d787c466c61af78fd9b7dfc45b4971
                                        • Instruction Fuzzy Hash: E8410734D00208DBCF14EF69C881A9FBBA1AF49318F14905BE8145B392C779DD15CF95
                                        Function 003D0260 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 454synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003D2140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,003D029A,?,E48E37CD,?,?,?,000000FF,?), ref: 003D2154
                                          • Part of subcall function 003D2140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,003D029A,?,E48E37CD,?,?,?,000000FF,?,003CFC64), ref: 003D2171
                                          • Part of subcall function 003D2140: GetLastError.KERNEL32(?,E48E37CD,?,?,?,000000FF,?,003CFC64,?,?,00000000,00000000,E48E37CD,?,?), ref: 003D21D0
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • ResetEvent.KERNEL32(?,00000000,004A38DD), ref: 003D036A
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003D0389
                                        • WaitForSingleObject.KERNEL32(E48E37CD,000000FF), ref: 003D0390
                                          • Part of subcall function 002A9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002B69F0,-00000010,?,002BAA9D,*.*), ref: 002A93B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Event$CreateInit_thread_footerObjectSingleWait$ErrorFindHeapLastProcessResetResource
                                        • String ID: GET$attachment$filename$h[L
                                        • API String ID: 818129584-4055808260
                                        • Opcode ID: 9ba5c3e2eb0d8f19155cc2b8d1a9b69a29e788242b86bfb5d70ce2683140008e
                                        • Instruction ID: 5b3a60fa05ff80eb2573c1b7b9380b0b6835d57bc8dfa393cee46d9079cd6d53
                                        • Opcode Fuzzy Hash: 9ba5c3e2eb0d8f19155cc2b8d1a9b69a29e788242b86bfb5d70ce2683140008e
                                        • Instruction Fuzzy Hash: 8B02ED71901249DFDB05DFA8D944BAEBBF4FF15314F14816AE815AB391EB70AA04CFA0
                                        Function 002B4E50 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00546008,E48E37CD,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004604E5), ref: 002B4EBA
                                        • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004604E5), ref: 002B4F3A
                                        • EnterCriticalSection.KERNEL32(00546024,?,?,?,?,?,?,?,?,?,?,?,00000000,004604E5,000000FF), ref: 002B50F3
                                        • LeaveCriticalSection.KERNEL32(00546024,?,?,?,?,?,?,?,?,?,?,00000000,004604E5,000000FF), ref: 002B5114
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Enter$FileLeaveModuleName
                                        • String ID: cw$8YT
                                        • API String ID: 1807155316-3236524397
                                        • Opcode ID: e49ffaf29e32412d25b4a69af975c860a014ccd82567831774df4f9d995babd1
                                        • Instruction ID: f956fc6ed0f9a99821aa597923a61444e8e98acf35c99b82339c1f3dec731dcf
                                        • Opcode Fuzzy Hash: e49ffaf29e32412d25b4a69af975c860a014ccd82567831774df4f9d995babd1
                                        • Instruction Fuzzy Hash: 57B1CF70A10259DFDB11DFA8C888BEEBBF4BF19354F144598E405AB391C779AD48CBA0
                                        Function 002B0E10 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(004C37FC,00000000,00000001,004C3E84,?), ref: 002B0EE0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CreateInstance
                                        • String ID: :${$>L
                                        • API String ID: 542301482-1321501944
                                        • Opcode ID: aea17d8461d9900adfe77e17be93f25e21c66c738f02e5ea64979b7e3bf2c03c
                                        • Instruction ID: 8eb748c90cf8cbdba72d301728bd56db2cd4ade1723471b72295bb0abd99dd56
                                        • Opcode Fuzzy Hash: aea17d8461d9900adfe77e17be93f25e21c66c738f02e5ea64979b7e3bf2c03c
                                        • Instruction Fuzzy Hash: B561E274A502469BDF299F588894BFEB7F4EB09794F244829FC01EB280D775DC90CB64
                                        Function 002CDE90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 178windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000318,00000000,00000004), ref: 002CDEF7
                                        • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 002CDF1F
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002CDF37
                                        • SendMessageW.USER32(?,0000130A,00000000,?), ref: 002CDF68
                                        • GetParent.USER32(?), ref: 002CE044
                                        • SendMessageW.USER32(00000000,00000136,?,?), ref: 002CE055
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$Parent
                                        • String ID: U2C
                                        • API String ID: 1020955656-2543022354
                                        • Opcode ID: debc8d05473a2fef349121dda8a085d609dcec9f3088ad663d8f2a9777ae66b8
                                        • Instruction ID: 56f9907bb51c58ea73be92985bda883335ab7e55512af3afbc8c871a136efa5e
                                        • Opcode Fuzzy Hash: debc8d05473a2fef349121dda8a085d609dcec9f3088ad663d8f2a9777ae66b8
                                        • Instruction Fuzzy Hash: CB612176A50618AFDB119BE4DC09FEEBBB9FF19714F100119F609AB2A0C7706904DF50
                                        Function 003D7150 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004A13BF,000000FF), ref: 003D72D3
                                        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004A13BF,000000FF), ref: 003D7361
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                        • String ID: << Advanced Installer (x86) Log >>$ YT$T`T$T`T$|`T
                                        • API String ID: 3699736680-2837310433
                                        • Opcode ID: 8700f74a41c57c44d294cccf20493ffefa5cd1ad255af594c8e2b476a6aba294
                                        • Instruction ID: bcbeb246e8abd2fb395e8544bf04f23f1a8ce929dc20c31acb304f024c21453c
                                        • Opcode Fuzzy Hash: 8700f74a41c57c44d294cccf20493ffefa5cd1ad255af594c8e2b476a6aba294
                                        • Instruction Fuzzy Hash: 7A610E70900684CFD711CF68D94879EFBF0EF46318F1482AEE4089B391DB749A08CB91
                                        Function 00382240 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001036,00010000,00000000), ref: 003822AB
                                        • GetParent.USER32(00000000), ref: 003822FE
                                        • GetWindowRect.USER32(00000000), ref: 00382301
                                        • GetParent.USER32(00000000), ref: 00382310
                                          • Part of subcall function 0033FCF0: GetWindowRect.USER32(?,?), ref: 0033FD8B
                                          • Part of subcall function 0033FCF0: GetWindowRect.USER32(?,?), ref: 0033FDA3
                                        • SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00382400
                                        • SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00382413
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageRectSendWindow$Parent
                                        • String ID: $/C
                                        • API String ID: 425339167-1036787561
                                        • Opcode ID: c4c734bd7a6f71d487ffc8a6fbc26575b25b9317dce6c3b76f427a27fdc59b1d
                                        • Instruction ID: 25ebc4316d8311b434fa913f97deec6530677c260e7c4e44622c1a9831447e3c
                                        • Opcode Fuzzy Hash: c4c734bd7a6f71d487ffc8a6fbc26575b25b9317dce6c3b76f427a27fdc59b1d
                                        • Instruction Fuzzy Hash: 5C515775D00708ABDB21DFA8CD45BDEBBF8EF5A714F20431AE805A7291EB706984CB50
                                        Function 00382470 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00382500
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                        • GetProcAddress.KERNEL32(SetWindowTheme), ref: 0038253D
                                        • __Init_thread_footer.LIBCMT ref: 00382554
                                        • SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 0038257F
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                          • Part of subcall function 00361FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00361FF1
                                          • Part of subcall function 00361FB0: _wcschr.LIBVCRUNTIME ref: 003620AF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake_wcschr
                                        • String ID: SetWindowTheme$UxTheme.dll$explorer
                                        • API String ID: 3852524043-3123591815
                                        • Opcode ID: efef6db472c0fbcca0ce081ee86fe0fe2eab886bfb8e29e6f274e57c514ff088
                                        • Instruction ID: 9cb1e762f8f7cd3e9c0cb340d0066465d65edd43e208e0521803b1d58bf902ff
                                        • Opcode Fuzzy Hash: efef6db472c0fbcca0ce081ee86fe0fe2eab886bfb8e29e6f274e57c514ff088
                                        • Instruction Fuzzy Hash: 3221E4B0A40300EBC721DF14ED16BCAB7B4FB27728F51422AF824972D4D7B8A905DB56
                                        Function 002B97E0 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 002B980A
                                        • GetWindow.USER32(?,00000005), ref: 002B9817
                                        • GetWindow.USER32(00000000,00000002), ref: 002B9952
                                          • Part of subcall function 002B9660: GetWindowRect.USER32(?,?), ref: 002B968C
                                          • Part of subcall function 002B9660: GetWindowRect.USER32(?,?), ref: 002B969C
                                        • GetWindowRect.USER32(?,?), ref: 002B98AB
                                        • GetWindowRect.USER32(00000000,?), ref: 002B98BB
                                        • GetWindowRect.USER32(00000000,?), ref: 002B98D5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Rect
                                        • String ID:
                                        • API String ID: 3200805268-0
                                        • Opcode ID: 460d2b5abfd2218f659f7c1d748662391d4c19c84d0a439f5a707d4da4e29282
                                        • Instruction ID: 1d7fdcba9c13c2b45da45515b2ad40412275d635d633b0c99b9cd58d9df35215
                                        • Opcode Fuzzy Hash: 460d2b5abfd2218f659f7c1d748662391d4c19c84d0a439f5a707d4da4e29282
                                        • Instruction Fuzzy Hash: D841C0305187029FC721DF25C980AABF7F9BF96744F544A1DF28593621EB30E998CB12
                                        Function 00435BAB Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00435D55,00000000,?,?,002B0B74,?), ref: 00435BCF
                                        • HeapAlloc.KERNEL32(00000000,?,?,002B0B74,?), ref: 00435BD6
                                          • Part of subcall function 00435CA1: IsProcessorFeaturePresent.KERNEL32(0000000C,00435BBD,00000000,?,00435D55,00000000,?,?,002B0B74,?), ref: 00435CA3
                                        • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00435D55,00000000,?,?,002B0B74,?), ref: 00435BE6
                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,002B0B74,?), ref: 00435C0D
                                        • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,002B0B74,?), ref: 00435C21
                                        • InterlockedPopEntrySList.KERNEL32(00000000,?,?,002B0B74,?), ref: 00435C34
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,002B0B74,?), ref: 00435C47
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                        • String ID:
                                        • API String ID: 2460949444-0
                                        • Opcode ID: 047755614e01e0f72fe0ec6b11e9d42825edd3df2c58707c6169492d07c13063
                                        • Instruction ID: 9ee989251351e09150ee9a78494425acc155e0d6a5381d0a90db169608fc2a74
                                        • Opcode Fuzzy Hash: 047755614e01e0f72fe0ec6b11e9d42825edd3df2c58707c6169492d07c13063
                                        • Instruction Fuzzy Hash: E711B671641F11ABE7211B65AC88F6B765CEB0C78DF192537F901E6250DE24DC009ABD
                                        Function 003E6EA0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 371COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • _wcschr.LIBVCRUNTIME ref: 003E6F6B
                                        • _wcschr.LIBVCRUNTIME ref: 003E701D
                                        • _wcschr.LIBVCRUNTIME ref: 003E703C
                                          • Part of subcall function 002A9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002B69F0,-00000010,?,002BAA9D,*.*), ref: 002A93B7
                                        • _wcschr.LIBVCRUNTIME ref: 003E70E2
                                        • GetTickCount.KERNEL32 ref: 003E728A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: _wcschr$Init_thread_footer$CountFindHeapProcessResourceTick
                                        • String ID: 0123456789AaBbCcDdEeFf
                                        • API String ID: 2181188311-3822820098
                                        • Opcode ID: c058401ba46ec1fb001011773091129ce879a682c0ee667eea1d230c32dbbef5
                                        • Instruction ID: 36f19fa3c30924d45ad3d59e1a3f0960b7198fbe5940c99602065ceefaa3ab85
                                        • Opcode Fuzzy Hash: c058401ba46ec1fb001011773091129ce879a682c0ee667eea1d230c32dbbef5
                                        • Instruction Fuzzy Hash: 04D1EC70A006558FDB22CF6AC888BAAB7F5EF48320F14875DE4659B2C1DB34ED45CB90
                                        Function 002CF780 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 369windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002CF7CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: ' AND `Control_`='$,nL$AiTabPage$ControlEvent$`Dialog_`='
                                        • API String ID: 3850602802-3887494272
                                        • Opcode ID: c76f2cc56218c0753c517b5662971d8c9e64ac3926279413b872a86786cd3698
                                        • Instruction ID: 47674a2ce9679090b5016c6fba34ce58f2943925fe4507ce6501b3208d36368f
                                        • Opcode Fuzzy Hash: c76f2cc56218c0753c517b5662971d8c9e64ac3926279413b872a86786cd3698
                                        • Instruction Fuzzy Hash: C3F17875910248DFDF04DF68C999BEEBBB1BF08304F1542A9ED149B292DB74AA14CF90
                                        Function 003A09E0 Relevance: 10.8, APIs: 7, Instructions: 300fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,E48E37CD,?,00000000), ref: 003A0A69
                                        • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000), ref: 003A0AEC
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 003A0B39
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 003A0B42
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003A0BA5
                                        • CloseHandle.KERNEL32(00000000), ref: 003A0CF7
                                        • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 003A0D7F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$Read$CloseCreateHandlePointerSize
                                        • String ID:
                                        • API String ID: 4181610692-0
                                        • Opcode ID: 44548ca57ba1da3fbf5f480a190cbf4ab375a8a35b34f56f9a140c6d91b1d822
                                        • Instruction ID: 0dd5f3cac1d9ec42100615e67347b0d567b6efbdb540284b663660d97d85b554
                                        • Opcode Fuzzy Hash: 44548ca57ba1da3fbf5f480a190cbf4ab375a8a35b34f56f9a140c6d91b1d822
                                        • Instruction Fuzzy Hash: 07C19071D00308DFDB19CFA4C945BAEBBB9EF46304F21825DE415AB281DB74AA45CB94
                                        Function 002AEFA0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 271memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 002AF06A
                                        • SysFreeString.OLEAUT32(00000000), ref: 002AF0B6
                                        • SysFreeString.OLEAUT32(00000000), ref: 002AF0D8
                                        • SysFreeString.OLEAUT32(00000000), ref: 002AF233
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: String$Free$Alloc
                                        • String ID: P*$P*
                                        • API String ID: 986138563-181659991
                                        • Opcode ID: 84599760cf6fe0849fe953e6e7653466131ec698156fddd885ffaeb2d04fbc0f
                                        • Instruction ID: d3caab57cdfa92a63014fd59188585265fdc793323d66a6b138a084103b43965
                                        • Opcode Fuzzy Hash: 84599760cf6fe0849fe953e6e7653466131ec698156fddd885ffaeb2d04fbc0f
                                        • Instruction Fuzzy Hash: 33A19F71A1020AEFDB54CFA8CD44BAFB7B8FF45714F104529E919E7280DB78AA05CB61
                                        Function 002D4CC3 Relevance: 10.7, APIs: 7, Instructions: 185memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(?), ref: 002D4D55
                                        • SysFreeString.OLEAUT32(00000000), ref: 002D4DCA
                                        • GetProcessHeap.KERNEL32(?,?), ref: 002D4E30
                                        • HeapFree.KERNEL32(00000000,?,?), ref: 002D4E36
                                        • GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 002D4E66
                                        • HeapFree.KERNEL32(00000000,?,00000000,?,00000000), ref: 002D4E6C
                                        • SysFreeString.OLEAUT32(00000000), ref: 002D4E84
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Free$Heap$String$Process
                                        • String ID:
                                        • API String ID: 2680101141-0
                                        • Opcode ID: c14391def34d30c0b168fa8ca342d20c76c682d681f1f84f8917b2a93bac1295
                                        • Instruction ID: c5550fb7aaf860792a02921b06735303693017a79518c8ad128a4c6f822b2425
                                        • Opcode Fuzzy Hash: c14391def34d30c0b168fa8ca342d20c76c682d681f1f84f8917b2a93bac1295
                                        • Instruction Fuzzy Hash: BA61AC70D1025A9FDF11EFA8C885BAEBBB4BF05314F14415AE821A7382C7789E15CBA1
                                        Function 002AB550 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 002AB5D2
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                        • __Init_thread_footer.LIBCMT ref: 002AB658
                                        • CreateDirectoryW.KERNEL32(005461F4,00000000,?,00000000,E48E37CD,?,00000000), ref: 002AB695
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionCreateDirectoryVariableWake
                                        • String ID: ,bT$,bT$,bT
                                        • API String ID: 2312781895-3320417264
                                        • Opcode ID: c60838737d669644022a35d9dfbab438f072677f0f68d3d28d8e890d4f6c11df
                                        • Instruction ID: 2f162c732814ed31574f04843e4840282d022ce5e7098a21c29079aaed799851
                                        • Opcode Fuzzy Hash: c60838737d669644022a35d9dfbab438f072677f0f68d3d28d8e890d4f6c11df
                                        • Instruction Fuzzy Hash: B551B174D04309EBCB15DFA4DC45BDEBBB4BB16318F104269E411A7292DBB8AA08CF56
                                        Function 0033FCF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 0033FD8B
                                        • GetWindowRect.USER32(?,?), ref: 0033FDA3
                                        • GetWindowRect.USER32(?,?), ref: 0033FE10
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0033FE34
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Long
                                        • String ID: $/C$L/C
                                        • API String ID: 3486571012-3828232961
                                        • Opcode ID: 51f66e967f2ca33b5639292f3a977e2b93a0e7d648f58fb8fc5e445cf8d34172
                                        • Instruction ID: e4a993c0edd0babb0ff5ade186c9f7dac5dd75bc0046dd850b2a4ac8f09e5073
                                        • Opcode Fuzzy Hash: 51f66e967f2ca33b5639292f3a977e2b93a0e7d648f58fb8fc5e445cf8d34172
                                        • Instruction Fuzzy Hash: D6419F35A083059FC700CF15D884BABB7E8FFAA704F45462EF94597251DB30E949CB52
                                        Function 003CE2C0 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64DisableWow64FsRedirection.KERNEL32(00000000,E48E37CD,?,?), ref: 003CE307
                                        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,E48E37CD,004A344D), ref: 003CE37F
                                        • GetLastError.KERNEL32 ref: 003CE390
                                        • WaitForSingleObject.KERNEL32(004A344D,000000FF), ref: 003CE3AC
                                        • GetExitCodeProcess.KERNEL32(004A344D,00000000), ref: 003CE3BD
                                        • CloseHandle.KERNEL32(004A344D), ref: 003CE3C7
                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 003CE3E2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
                                        • String ID:
                                        • API String ID: 1153077990-0
                                        • Opcode ID: b8295fe31a8a62b7cbd6b9739b8166e9f933dc629a59dd8a913fedac5ecfa2c9
                                        • Instruction ID: c9a29c695c2fea2d6d29f9964349c9e3663ce8356e65c9eadbaed0889e24d4a3
                                        • Opcode Fuzzy Hash: b8295fe31a8a62b7cbd6b9739b8166e9f933dc629a59dd8a913fedac5ecfa2c9
                                        • Instruction Fuzzy Hash: AC418C31E04389ABDB11CFA4CD04BEEBBF8AF49314F145669E824E7290DB749E40CB60
                                        Function 003E0E90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000010,?,00000000,003C6881,00000000,E48E37CD,?,00000010,00000000), ref: 003E0EAB
                                        • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 003E0EC1
                                        • FreeLibrary.KERNEL32(00000000), ref: 003E0EFA
                                        • FreeLibrary.KERNEL32(00000000,?,00000010,?,00000000,003C6881,00000000,E48E37CD,?,00000010,00000000), ref: 003E0F16
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Library$Free$AddressLoadProc
                                        • String ID: DllGetVersion$Shlwapi.dll
                                        • API String ID: 1386263645-2240825258
                                        • Opcode ID: 923c7c911ff94bb414ea1b0415fcb348068c3adc97b692976e67c0040237e856
                                        • Instruction ID: a0a7f083f3d838580e3a742e1b74a023571823629e2e4896d74795d4c72b7b14
                                        • Opcode Fuzzy Hash: 923c7c911ff94bb414ea1b0415fcb348068c3adc97b692976e67c0040237e856
                                        • Instruction Fuzzy Hash: A221F5326043019BC714AF2AEC4166BB3E4BFED700F82066EF449C3241EB7498498AA2
                                        Function 0030E970 Relevance: 9.4, APIs: 4, Strings: 2, Instructions: 419memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 0030EB86
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 0030EB8C
                                          • Part of subcall function 00310530: GetProcessHeap.KERNEL32(?,?,E48E37CD,00000000,?,00000000), ref: 003105EA
                                          • Part of subcall function 00310530: HeapFree.KERNEL32(00000000,?,?,E48E37CD,00000000,?,00000000), ref: 003105F0
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0030ED97
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0030ED9D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3L$|3L
                                        • API String ID: 3859560861-1358128316
                                        • Opcode ID: 37b1d7d8f4bbd3664b7754c7a829faff3df8f03ecdda4b73496662ebec1d7cd2
                                        • Instruction ID: 83ff7ad042d30df15327e0a7238097e8fbbe1b375e467368a470b9ac101908bb
                                        • Opcode Fuzzy Hash: 37b1d7d8f4bbd3664b7754c7a829faff3df8f03ecdda4b73496662ebec1d7cd2
                                        • Instruction Fuzzy Hash: 47F18970A01249DFDB05DFA8C959BEEBBB4FF05314F20459DE411AB2D2DB74AA08CB91
                                        Function 00306CB0 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 226memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00306ED0
                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00306ED6
                                        • GetProcessHeap.KERNEL32(-000000FF,00000000), ref: 00306F01
                                        • HeapFree.KERNEL32(00000000,-000000FF,00000000), ref: 00306F07
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: _TEMP$|3L
                                        • API String ID: 3859560861-4275186244
                                        • Opcode ID: 2702cdfdd4ff8c01d10da007ec27e761a7167f72f1cb61313380c831f6a39a9b
                                        • Instruction ID: 728a606eda0a6e1f0b76214584d6369c20aa46b08f41238cb7a8aec7f6ac7875
                                        • Opcode Fuzzy Hash: 2702cdfdd4ff8c01d10da007ec27e761a7167f72f1cb61313380c831f6a39a9b
                                        • Instruction Fuzzy Hash: F6918E71D02249DFDB10DFA8C985BEEBBB4EF48314F2442AAE415B72D1CB745A05CBA1
                                        Function 00396080 Relevance: 9.1, APIs: 6, Instructions: 149COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 003960CA
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 003960EC
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00396114
                                        • __Getctype.LIBCPMT ref: 003961E5
                                        • std::_Facet_Register.LIBCPMT ref: 00396247
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00396271
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                        • String ID:
                                        • API String ID: 1102183713-0
                                        • Opcode ID: 16bdc1ead2a2fd71704137c6eeff02d77a149eb722e397ee05228c92c4e14cf4
                                        • Instruction ID: 80e504b38695fd642ee93d0b9980f1006c9fc4baf7f0b5e8a8fba4bd455d0796
                                        • Opcode Fuzzy Hash: 16bdc1ead2a2fd71704137c6eeff02d77a149eb722e397ee05228c92c4e14cf4
                                        • Instruction Fuzzy Hash: 9751DFB0D01608CFDF11CF68C9427AAB7F4EF18318F14815ED845AB392DB35AA45DB91
                                        Function 002B9980 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 330COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 002B99D7
                                        • GetWindowRect.USER32(?,?), ref: 002B9AB3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: RectWindow
                                        • String ID: $/C$PVL$U2C
                                        • API String ID: 861336768-1513382390
                                        • Opcode ID: f1e96658205f708a021b93f6c6f6c355e553cee40779cf9f1719ad7f000d6c23
                                        • Instruction ID: b0132d4e53bcc243a0a0dd09c3bc90a12f8bdc407e6c86ad884b1f8f34d0f9d4
                                        • Opcode Fuzzy Hash: f1e96658205f708a021b93f6c6f6c355e553cee40779cf9f1719ad7f000d6c23
                                        • Instruction Fuzzy Hash: 37E12775D04619EFEB20CFA8C948BDEBBF8EF1A704F108259E909A7251D7706A84DF50
                                        Function 00437D52 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00437D49,00437D15,?,?,002D21FD,003A0140,?,00000008), ref: 00437D60
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437D6E
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437D87
                                        • SetLastError.KERNEL32(00000000,00437D49,00437D15,?,?,002D21FD,003A0140,?,00000008), ref: 00437DD9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: f57ad7afc310ceaa9d1ca18ed28c66515cef1c3e92a87e9f9f55b9e8b2469381
                                        • Instruction ID: 61344b88a2571e9a83ab7c8496a72ce00faa7f8d2eb0eec799d573b083ed925c
                                        • Opcode Fuzzy Hash: f57ad7afc310ceaa9d1ca18ed28c66515cef1c3e92a87e9f9f55b9e8b2469381
                                        • Instruction Fuzzy Hash: 230128B210D2115EE73826757C8A7372B84EF19378F21272FF550612E1EF5D0C15694D
                                        Function 002BFFD0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 292windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001037,00000000,00000000), ref: 002C0118
                                        • SendMessageW.USER32(?,00001036,00000000,00000000), ref: 002C012D
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                          • Part of subcall function 00382040: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,002C0168,00000000,80004005), ref: 003820AB
                                          • Part of subcall function 00382040: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003820DB
                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 002C025E
                                        • SendMessageW.USER32(?,00001061,00000000,00000005), ref: 002C035A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$AllocateHeapWindow
                                        • String ID: |3L
                                        • API String ID: 3168177373-699080877
                                        • Opcode ID: 2c28678726b0a8a3b1ef440ff638f53b192575b1006418d4f7846241bfc34103
                                        • Instruction ID: c0851def418f51647711d21c2b0515c1179bb70f959bef3fb8a06cbd22aa2a95
                                        • Opcode Fuzzy Hash: 2c28678726b0a8a3b1ef440ff638f53b192575b1006418d4f7846241bfc34103
                                        • Instruction Fuzzy Hash: 6CB18C71A10209EFDB14CFA8C885FEEFBB4FF48314F144219E415AB290DBB5A954CBA4
                                        Function 003B3CC0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 288COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetShortPathNameW.KERNEL32(E48E37CD,00000000,00000000), ref: 003B3D1F
                                        • GetShortPathNameW.KERNEL32(?,?,?), ref: 003B3D8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: NamePathShort
                                        • String ID: neutral$x64$x86
                                        • API String ID: 1295925010-1541741584
                                        • Opcode ID: 2ac91285cb599c141804112a6556ba45d32e6ba87ce0d442d73557b6679930d2
                                        • Instruction ID: bef592cfa1186267b19d970e61de5f5773f6121fc027bbb868d4a5cc806a54ef
                                        • Opcode Fuzzy Hash: 2ac91285cb599c141804112a6556ba45d32e6ba87ce0d442d73557b6679930d2
                                        • Instruction Fuzzy Hash: 90B1AE71A00208EFDB01DFA8C859BDEFBB4EF45324F10825DE515AB291DB75AA44CFA4
                                        Function 002C8180 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 266windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000004,?), ref: 002C8258
                                        • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 002C8287
                                        • SendMessageW.USER32(00000000,0000110A,00000004,0A74C085), ref: 002C8443
                                        • SendMessageW.USER32(0000110A,0000110A,00000001,00000000), ref: 002C8466
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: _T
                                        • API String ID: 3850602802-3038003434
                                        • Opcode ID: e286e15d441a332719b5c36079a1a6856da57b7a6d9d6bb2d207984dfac1d7d3
                                        • Instruction ID: d13a4c1f41203e2a1c0f347379a70715c1ca3d1dc5548e4041ce7ac0385182f4
                                        • Opcode Fuzzy Hash: e286e15d441a332719b5c36079a1a6856da57b7a6d9d6bb2d207984dfac1d7d3
                                        • Instruction Fuzzy Hash: 7FA16D72910245DFCB25DF68C884FEEB7B5BF09710F1592A9E801AB291DB70E855CBA0
                                        Function 003A9710 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 260COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,?,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 003A99E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID: Close$Copy$Details >>$Send Error Report
                                        • API String ID: 4139908857-113472931
                                        • Opcode ID: 5d44e2711fcd59e1af3fa2257dbed126687410ccbddb11b23d223aea22965632
                                        • Instruction ID: ad29d340a64c405f1ebb5a2d9d2f7c7305f66040a8aaee47b5b04ff53fdc00f2
                                        • Opcode Fuzzy Hash: 5d44e2711fcd59e1af3fa2257dbed126687410ccbddb11b23d223aea22965632
                                        • Instruction Fuzzy Hash: B991C070A40305AFDB15DF60DC56FAAB7B5EF49704F10422AF611BB2D0EBB4A900CB54
                                        Function 002A8890 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 002A8975
                                        • __Init_thread_footer.LIBCMT ref: 002A89EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: </a>$<a href="$<a>
                                        • API String ID: 1385522511-4210067781
                                        • Opcode ID: 9724feeeeb3ba456ddfa10a710a870b9e672007933aa17da72f3d75678068c93
                                        • Instruction ID: 975bc8e09a20fcf7ca17122c633798b8966f27ae5defeb0f1ed68c0b74a41ac8
                                        • Opcode Fuzzy Hash: 9724feeeeb3ba456ddfa10a710a870b9e672007933aa17da72f3d75678068c93
                                        • Instruction Fuzzy Hash: B1A1DBB0A10605EFCB04DF68D859BADB7B1FB4A318F104219E421AB2D2EF34A954CF65
                                        Function 002C5E20 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 220windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                          • Part of subcall function 00382040: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,002C0168,00000000,80004005), ref: 003820AB
                                          • Part of subcall function 00382040: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003820DB
                                        • SendMessageW.USER32(?,00001036,00000004,00000004), ref: 002C5FDC
                                        • SendMessageW.USER32(?,00001036,00000400,00000400), ref: 002C5FF3
                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 002C604F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$AllocateHeapWindow
                                        • String ID: QuickSelectionList$|3L
                                        • API String ID: 3168177373-988513940
                                        • Opcode ID: 6df2f2e2daaba8dc42d92abbd427dd8654286d6d4572ef5d840a1b0dcf0c5972
                                        • Instruction ID: 18f949ec6d99d0fcc4f9ac6d36461a23b569e4328e99a115bbf5aceadb438fa9
                                        • Opcode Fuzzy Hash: 6df2f2e2daaba8dc42d92abbd427dd8654286d6d4572ef5d840a1b0dcf0c5972
                                        • Instruction Fuzzy Hash: 53819971A006099FCB14DF69C894BAAF7F4FF88324F10865DE919A7290DB75A944CFA0
                                        Function 002F99D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 207threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003A0F40: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 003A0F84
                                          • Part of subcall function 003A0F40: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003A0F8F
                                        • GetCurrentThreadId.KERNEL32 ref: 002F9B3C
                                        • SendMessageW.USER32(?,00000127,00030003,00000000), ref: 002F9BC5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$CurrentThread
                                        • String ID: 0^T$AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
                                        • API String ID: 2377075789-3159816273
                                        • Opcode ID: 029317b4d657da0ca53896ec0c0478def70b44d3642e38d15e73869e90cb7f7f
                                        • Instruction ID: e28b2d344a5601bb26630350582aaee559693ebfa71bca48742fa41334bd8507
                                        • Opcode Fuzzy Hash: 029317b4d657da0ca53896ec0c0478def70b44d3642e38d15e73869e90cb7f7f
                                        • Instruction Fuzzy Hash: D181A130A11208DFDF05EF64C895BEDBBB5AF45304F1441A9E906AF292DB74AE08CF91
                                        Function 003A2450 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 195COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000011,?,?,E48E37CD,00000000,?), ref: 003A266C
                                        • SHGetMalloc.SHELL32(?), ref: 003A2695
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$FolderHeapLocationMallocProcessSpecial
                                        • String ID: %s, %.2u %s %.4u %.2u:%.2u:%.2u GMT$C:\$C:\FAKE_DIR\
                                        • API String ID: 3216538967-785558474
                                        • Opcode ID: 69cf29010b6effa0fe968b28c63aa9331189574b25a921bcf76e7937f44a272f
                                        • Instruction ID: 487f1e4dbc96fda2849839b05b25bd0f43b30fd9ade1978fe8d3b6c803c801a8
                                        • Opcode Fuzzy Hash: 69cf29010b6effa0fe968b28c63aa9331189574b25a921bcf76e7937f44a272f
                                        • Instruction Fuzzy Hash: 29715CB1900249ABDB10DF99CC45BAEBBF9FB08704F10851BF915AB391D7B89944CB98
                                        Function 002CDC60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 002CDD5D
                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 002CDD72
                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 002CDD7A
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                          • Part of subcall function 002CF780: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002CF7CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$AllocateCreateHeapWindow
                                        • String ID: SysTabControl32$TabHost
                                        • API String ID: 2359350451-2872506973
                                        • Opcode ID: 67e9d1909d350f9b25dbb652f2453e4f80a83748594dafb59376ad16b3ef720f
                                        • Instruction ID: 9f5e436239efbb60072e70e3c58f43b78ef1acca92bd96c7eaa40c3068a43ea1
                                        • Opcode Fuzzy Hash: 67e9d1909d350f9b25dbb652f2453e4f80a83748594dafb59376ad16b3ef720f
                                        • Instruction Fuzzy Hash: 5D519C35A00605AFDB04DF69C884FAABBB8EF49710F10866DE815A7391DB75A804CBA4
                                        Function 002B6E60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 159registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,E48E37CD), ref: 002B6EF3
                                        • GetLastError.KERNEL32 ref: 002B6F1C
                                        • RegCloseKey.ADVAPI32(?,00000000,00000000,?,004C337C,00000000,00000000,80000001,00000000,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 002B7065
                                        Strings
                                        • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 002B6F5C
                                        • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 002B6EE8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CloseCreateErrorEventLast
                                        • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                        • API String ID: 1713683948-2079760225
                                        • Opcode ID: 17ce3ae21b7dc17a82b4143950a174bf7265d2a023e9daf7121d5cce6135bb21
                                        • Instruction ID: c2ad360c85c6df8f1374a8aba5f85b807ec1674f423125f3c2fb8c8bbd79549f
                                        • Opcode Fuzzy Hash: 17ce3ae21b7dc17a82b4143950a174bf7265d2a023e9daf7121d5cce6135bb21
                                        • Instruction Fuzzy Hash: 66618A70D14349EFDB10DF68C945B9EFBF4AF15304F108299E459A7282DBB4AA08CFA5
                                        Function 002DD090 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(00545968,005459E8,Windows.UI.Xaml.Controls.TextBlock,00000022,E48E37CD,00000001,00000000,?,YT,00466017,000000FF), ref: 002DD168
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.UI.Xaml.Controls.TextBlock$YT$YT$YT
                                        • API String ID: 4129690577-2938975705
                                        • Opcode ID: 3993ad33654a1066cb53b079e3e9c10b967140eed0035ded98190b8bf22cef81
                                        • Instruction ID: 88f2a72e7d32c376588bcdd931656f6bc3717b8f6aa1053b92f129b4ad5af8d8
                                        • Opcode Fuzzy Hash: 3993ad33654a1066cb53b079e3e9c10b967140eed0035ded98190b8bf22cef81
                                        • Instruction Fuzzy Hash: B6316A7191161AEBDB00DF94C946BEEBBB4FB15718F10412AE814AB3C1E7B55E08CBD1
                                        Function 002B2990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 002B29C6
                                        • EnterCriticalSection.KERNEL32(00546250), ref: 002B29E6
                                        • LeaveCriticalSection.KERNEL32(00546250), ref: 002B2A0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: cw$PbT
                                        • API String ID: 2351996187-3130983629
                                        • Opcode ID: 8d88d1b47c7a675393569ce56be36c175413e3d3e35d3c4b686b44a550324b9f
                                        • Instruction ID: e8b6bc44dd503a36acc27ff932e95ff2dd20783796b56c480f1861bf76a6cd67
                                        • Opcode Fuzzy Hash: 8d88d1b47c7a675393569ce56be36c175413e3d3e35d3c4b686b44a550324b9f
                                        • Instruction Fuzzy Hash: 30210271908744EFCB20CF58DC45B8ABBF8FB0AB14F10462EE82497780D7B9A408CB91
                                        Function 003C6820 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFilesFolder
                                        • API String ID: 0-3551742416
                                        • Opcode ID: c054d23cb5549532813ced0d303c7bae3dca243c2bc268910fe6d6a06b4e1f18
                                        • Instruction ID: 6c9adcbb9e76f503178430932f300186a591d1ddc2cd4176b7738e7495d04b0e
                                        • Opcode Fuzzy Hash: c054d23cb5549532813ced0d303c7bae3dca243c2bc268910fe6d6a06b4e1f18
                                        • Instruction Fuzzy Hash: 86210E36A00205ABCB249F28CC55FAAB3A8EB15720F1086AFE911D7390EB35DD04CB44
                                        Function 0043A78C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,0043A84D,?,?,00000000,?,?,0043A8FF,00000002,FlsGetValue,004BA0D0,004BA0D8), ref: 0043A81C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-
                                        • API String ID: 3664257935-2084034818
                                        • Opcode ID: 0d72abbc88f07c834d54e358a86f8ebcf5ebd06a0feff80027afcbeb2387e7f0
                                        • Instruction ID: debfb66d76cdd69218de67de7394c635f076b8a492e3f6daee57c7bbf43274b0
                                        • Opcode Fuzzy Hash: 0d72abbc88f07c834d54e358a86f8ebcf5ebd06a0feff80027afcbeb2387e7f0
                                        • Instruction Fuzzy Hash: D4110D31980235A7DF32AB589C8475E33A49F05770F150122E950E7380D774ED15C6DF
                                        Function 002B2700 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00546250), ref: 002B273C
                                        • GetCurrentThreadId.KERNEL32 ref: 002B2750
                                        • LeaveCriticalSection.KERNEL32(00546250), ref: 002B278E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: cw$PbT
                                        • API String ID: 2351996187-3130983629
                                        • Opcode ID: 4d7c33223462a4d21da355549d0f2c4a47ff620679ed67472866bae7f6b14ee0
                                        • Instruction ID: dec1dc4b1f845a71ddf1506c04e55f8490948e5a795ca44fdf908b382f12298d
                                        • Opcode Fuzzy Hash: 4d7c33223462a4d21da355549d0f2c4a47ff620679ed67472866bae7f6b14ee0
                                        • Instruction Fuzzy Hash: DA112739908345DBCB20CF59CD047AAFBF4FB56764F10466ED81197390DBB05908D795
                                        Function 0044C68F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E48E37CD,?,?,00000000,004B6426,000000FF,?,0044C662,?,?,0044C636,?), ref: 0044C6C4
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044C6D6
                                        • FreeLibrary.KERNEL32(00000000,?,00000000,004B6426,000000FF,?,0044C662,?,?,0044C636,?), ref: 0044C6F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 928fdc9aad48219fe1f1bd2b115bd998d1f2729f7a24eb2866770bfdbc51361e
                                        • Instruction ID: d4fb6e13103e1b873cb104fd3d1b0b54f5287468b7988c5f96baea1a42dfd0b8
                                        • Opcode Fuzzy Hash: 928fdc9aad48219fe1f1bd2b115bd998d1f2729f7a24eb2866770bfdbc51361e
                                        • Instruction Fuzzy Hash: 4001A231904619EFDB159F54CC45BAFBBB8FB04B11F05463AE811A23D0DF789900CAA8
                                        Function 003A79C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                        • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 003A7A1E
                                        • GetProcAddress.KERNEL32(00000000), ref: 003A7A25
                                        • __Init_thread_footer.LIBCMT ref: 003A7A3C
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
                                        • String ID: Dbghelp.dll$SymFromAddr
                                        • API String ID: 3268644551-642441706
                                        • Opcode ID: f3f2e1c3e51275c12a30cd818d0f39c31ed6b83ca910dcb700d7644a4938f35f
                                        • Instruction ID: 524fa59933e797a46b96c231d35bbbadcdd689ff347517ce21342d456c8a048f
                                        • Opcode Fuzzy Hash: f3f2e1c3e51275c12a30cd818d0f39c31ed6b83ca910dcb700d7644a4938f35f
                                        • Instruction Fuzzy Hash: 9901F775948700EFC710CF58ED46B5877A4F71AB38F10436AE816833D0C779A504EB16
                                        Function 004366EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • SleepConditionVariableCS.KERNELBASE(?,00436687,00000064), ref: 0043670D
                                        • LeaveCriticalSection.KERNEL32(00544CD8,?,?,00436687,00000064,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 00436717
                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00436687,00000064,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 00436728
                                        • EnterCriticalSection.KERNEL32(00544CD8,?,00436687,00000064,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043672F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                        • String ID: cw
                                        • API String ID: 3269011525-348920815
                                        • Opcode ID: cebbf792574ae4578a1c886ba1f106878bde163732e5ec56e070e57eae4a8ef9
                                        • Instruction ID: 320ffbe591f8f10d19ce5ee8742dd32b21e0882e752cc9743d4b03ad089ed5f3
                                        • Opcode Fuzzy Hash: cebbf792574ae4578a1c886ba1f106878bde163732e5ec56e070e57eae4a8ef9
                                        • Instruction Fuzzy Hash: A7E09235582524B7CA012B94EC8ABDD3F2CFB09B59B0A0025FA0566160CF640C14DFE8
                                        Function 0030DE10 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 316memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?), ref: 0030E08B
                                        • HeapFree.KERNEL32(00000000,?,?), ref: 0030E091
                                        • GetProcessHeap.KERNEL32(?,?), ref: 0030E160
                                        • HeapFree.KERNEL32(00000000,?,?), ref: 0030E166
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3L
                                        • API String ID: 3859560861-699080877
                                        • Opcode ID: 4099d13147e63abc91d554018592df16ab983b339cbbc6adea10035674d330ee
                                        • Instruction ID: 902e72b610533a00ba38aed13c0d46549846ca73298288046a8d60c87b7c5e6b
                                        • Opcode Fuzzy Hash: 4099d13147e63abc91d554018592df16ab983b339cbbc6adea10035674d330ee
                                        • Instruction Fuzzy Hash: 70D18C30A01208CFDB15DFA8C954BEEBBB5BF14304F2445A9D406AB2D2DB74AE49CF91
                                        Function 002E1B70 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 268memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 002E1E5F
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 002E1E65
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 002E1F0F
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 002E1F15
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3L
                                        • API String ID: 3859560861-699080877
                                        • Opcode ID: 359c7198bd00fbc5152c87e1c560ac412bc3912c436861b49184581c4d104c58
                                        • Instruction ID: 3fc5a7488d41c28a1f5b8a9bb3319af7eddc55b4288547c0b42aba814ad768f6
                                        • Opcode Fuzzy Hash: 359c7198bd00fbc5152c87e1c560ac412bc3912c436861b49184581c4d104c58
                                        • Instruction Fuzzy Hash: C3B18B70D10298CEEB20DF29CC45B9EBBB5FF05314F5442EAE419A7282DB745A94CF91
                                        Function 002C03C0 Relevance: 7.7, APIs: 5, Instructions: 234windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002C25D0: __Init_thread_footer.LIBCMT ref: 002C263F
                                        • SendMessageW.USER32(?,0000104D,00000000,00000000), ref: 002C0502
                                        • SendMessageW.USER32(?,0000104D,00000000,?), ref: 002C05B7
                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 002C0656
                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 002C0701
                                          • Part of subcall function 002B2970: RaiseException.KERNEL32(?,?,00000000,00000000,00435A3C,C000008C,00000001,?,00435A6D,00000000,?,002A91C7,00000000,E48E37CD,00000001,?), ref: 002B297C
                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 002C0787
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$ExceptionInit_thread_footerRaise
                                        • String ID:
                                        • API String ID: 3442259968-0
                                        • Opcode ID: 3fa65aa14980a672b27b8cf640bef340b9b9cf4e04f31b1b4f4734e514760c71
                                        • Instruction ID: 46eba70098b507cb9b0ea0b1bae07fa39ce0af6af825df24846007f97b70dddc
                                        • Opcode Fuzzy Hash: 3fa65aa14980a672b27b8cf640bef340b9b9cf4e04f31b1b4f4734e514760c71
                                        • Instruction Fuzzy Hash: D2B13BB1D11359DBEB24CF54CD94BDABBB1FF59308F104299E9086B280D7B56A84CF80
                                        Function 002E07E0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 204memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 002E0A0F
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 002E0A15
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 002E0ABF
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 002E0AC5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3L
                                        • API String ID: 3859560861-699080877
                                        • Opcode ID: 9902da1650ad989b2f1e83e48e6f7c639691ad33b5b776f7904bb32dac69b4ee
                                        • Instruction ID: 44e417e80b0f9c7345af351a25a3c84c7acf3735562781ea621865eed1ce6e14
                                        • Opcode Fuzzy Hash: 9902da1650ad989b2f1e83e48e6f7c639691ad33b5b776f7904bb32dac69b4ee
                                        • Instruction Fuzzy Hash: 3E916A709103A8CEEB20DF25CC85BDAB7B5AF01304F5442EAD509A7282DBB45E99CF52
                                        Function 002AFCE0 Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ItemMessageSendWindow
                                        • String ID:
                                        • API String ID: 799199299-0
                                        • Opcode ID: 927bbccf9870a7dfd6b087ee0b2eb44df2fecd4a2bed4a2c0a6c9a450a0c49f9
                                        • Instruction ID: 004a91d60fb09552f1be48a006356187fb53798b0451060034d85258b3c2aba1
                                        • Opcode Fuzzy Hash: 927bbccf9870a7dfd6b087ee0b2eb44df2fecd4a2bed4a2c0a6c9a450a0c49f9
                                        • Instruction Fuzzy Hash: E64127363105029FC7658FA8EA88EA6B7A5FB47311F04443AE489C7162DF35EC21DB20
                                        Function 0039BCD0 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0039BD04
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0039BD24
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0039BD4C
                                        • std::_Facet_Register.LIBCPMT ref: 0039BE2B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0039BE55
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                        • String ID:
                                        • API String ID: 459529453-0
                                        • Opcode ID: 273fbc6be1a9395a95ac420f12680576e0c4f144d6cae779d46dbc3b80328bb4
                                        • Instruction ID: edf94b11823d33e5534e13931aa44105e1151c01d7e968a872dd0433c754e30b
                                        • Opcode Fuzzy Hash: 273fbc6be1a9395a95ac420f12680576e0c4f144d6cae779d46dbc3b80328bb4
                                        • Instruction Fuzzy Hash: 2151BB74900208DFDF12CF58D9457EEBBF4AF11318F20815EE841AB291DB75AE05CB91
                                        Function 002F7A70 Relevance: 7.6, APIs: 5, Instructions: 100threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 002F7A99
                                        • CoInitializeEx.COMBASE(00000000,00000002), ref: 002F7AA9
                                        • SendMessageW.USER32(?,000005FA,?,00000000), ref: 002F7BC1
                                          • Part of subcall function 00306040: EnterCriticalSection.KERNEL32(E48E37CD,E48E37CD), ref: 00306080
                                          • Part of subcall function 00306040: GetCurrentThreadId.KERNEL32 ref: 00306093
                                          • Part of subcall function 00306040: LeaveCriticalSection.KERNEL32(?), ref: 00306111
                                          • Part of subcall function 00300100: SetLastError.KERNEL32(0000000E,?,002F880B,?,?,?,?), ref: 00300118
                                        • GetLastError.KERNEL32(?,?,004CC530,00000000), ref: 002F7B33
                                        • ShowWindow.USER32(?,0000000A,?,?,004CC530,00000000), ref: 002F7B45
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalCurrentErrorLastSectionThread$EnterInitializeLeaveMessageSendShowWindow
                                        • String ID:
                                        • API String ID: 2782539745-0
                                        • Opcode ID: ed776e083b0b53a58b1c3cca1a361ad1f970e7991ae1e93f323a7cf24cfc6f7f
                                        • Instruction ID: ac3c1d84917feb7df13dd63e53f92141c03eeda14bfcd2d98d73f169c2c8930a
                                        • Opcode Fuzzy Hash: ed776e083b0b53a58b1c3cca1a361ad1f970e7991ae1e93f323a7cf24cfc6f7f
                                        • Instruction Fuzzy Hash: 2031DC71D10209EBDB15EFA0CC5ABEEFBB4EF10308F104269E5116B2D0DBB95A09CB91
                                        Function 002ADB60 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$Init
                                        • String ID:
                                        • API String ID: 3740757921-0
                                        • Opcode ID: 78486b0ba6afd27f93b7f029463b117397037cc3b0597503a5519f9f2c87757f
                                        • Instruction ID: 8f4f5ab554aa4f2b8436a8d72d7437327b36f144610986247862fc9ad90674db
                                        • Opcode Fuzzy Hash: 78486b0ba6afd27f93b7f029463b117397037cc3b0597503a5519f9f2c87757f
                                        • Instruction Fuzzy Hash: BA312A71D05248EFDB05CFA8C944BDEBBF8EF59704F10C59AE410A7290D7B5AA48CBA1
                                        Function 002D46E0 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002D472A
                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002D4730
                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 002D4753
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00466756,000000FF), ref: 002D477B
                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00466756,000000FF), ref: 002D4781
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess$FormatMessage
                                        • String ID:
                                        • API String ID: 1606019998-0
                                        • Opcode ID: 1e6a57d3b5409937a3543e181e4af3536230fc809488315b22734892c04d643f
                                        • Instruction ID: 7c96cc09c7ab6473752850398d11cf614c4e5f6765d0d9f9b5504ef9ee38721b
                                        • Opcode Fuzzy Hash: 1e6a57d3b5409937a3543e181e4af3536230fc809488315b22734892c04d643f
                                        • Instruction Fuzzy Hash: 341163B1A44219ABEB10DF94CD46BAFB7BCEB04B08F10051AF510BB6C1D7F9A9048795
                                        Function 002C0DC0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 002C0DCB
                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 002C0E28
                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 002C0E77
                                        • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 002C0E88
                                        • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 002C0E95
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow
                                        • String ID:
                                        • API String ID: 312131281-0
                                        • Opcode ID: 547d4cc2a6a134b1ef8cb416b86bc089f16a7c45e506cf14199ba591030c150e
                                        • Instruction ID: ea7d1634cf7d15eee095bc392496e0237641153757df6a830781a11d478747b9
                                        • Opcode Fuzzy Hash: 547d4cc2a6a134b1ef8cb416b86bc089f16a7c45e506cf14199ba591030c150e
                                        • Instruction Fuzzy Hash: 60215131958746A7D220DF11CD44B5ABBF1BFEE758F202B0EF1D4211A4E7F191848E86
                                        Function 003BA780 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 438COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                          • Part of subcall function 003BA570: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 003BA59D
                                        • _wcschr.LIBVCRUNTIME ref: 003BAAE2
                                        • _wcschr.LIBVCRUNTIME ref: 003BAB6F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer_wcschr$FileHeapModuleNameProcess
                                        • String ID: hM$lM
                                        • API String ID: 973101865-1634504729
                                        • Opcode ID: bf85fbe62f26a33c63c0c604bb8142db0a82dd6021f339454d320ca8f4ae0ad7
                                        • Instruction ID: 0bbaa86850d949c8132de06f0bf4658d020ed0abafaa6fcc927273324aa645c4
                                        • Opcode Fuzzy Hash: bf85fbe62f26a33c63c0c604bb8142db0a82dd6021f339454d320ca8f4ae0ad7
                                        • Instruction Fuzzy Hash: 7CF10171A00A09DFDB01DFA8C849BDEFBF8EF44314F15826EE515AB291EB709904CB91
                                        Function 003D3F70 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 417COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: _wcschr
                                        • String ID: realm
                                        • API String ID: 2691759472-4204190682
                                        • Opcode ID: 50c34606c257566096e354021ee8095d4886208a6faf22f261d49be28f47c03f
                                        • Instruction ID: 74e10de24d24d36cf20d50e49b56e1b8657a93158f161d656a64765ae5ed3055
                                        • Opcode Fuzzy Hash: 50c34606c257566096e354021ee8095d4886208a6faf22f261d49be28f47c03f
                                        • Instruction Fuzzy Hash: 49F1AF32A00609DFDB02DFA8D848B9EBBB9EF55320F15C25AE8149B391DB74DD45CB90
                                        Function 002AD8D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 231windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 002AD946
                                        • SendMessageW.USER32(?,00000000,00000000), ref: 002ADA42
                                          • Part of subcall function 002AF190: SysFreeString.OLEAUT32(00000000), ref: 002AF233
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CreateFreeMessageSendStringWindow
                                        • String ID: AtlAxWin140$>L
                                        • API String ID: 4045344427-2678703139
                                        • Opcode ID: aa54b2fbc670f9655aca5d1c3b63d585bc48a11fd3f9b13b1798655f6392dcb3
                                        • Instruction ID: 4b16defcfe1b091cbcd968a2aca438fa85a50491b36b367356efec886eeadfc8
                                        • Opcode Fuzzy Hash: aa54b2fbc670f9655aca5d1c3b63d585bc48a11fd3f9b13b1798655f6392dcb3
                                        • Instruction Fuzzy Hash: B5911474600205EFDB14CF64C888B5ABBB9FF49714F208599F81A9B291CB75E915CF50
                                        Function 003007C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(00000004,?), ref: 0030083C
                                        • MonitorFromWindow.USER32(?,00000002), ref: 00300860
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00300882
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MonitorWindow$FromInfoRect
                                        • String ID: U2C
                                        • API String ID: 1973172141-2543022354
                                        • Opcode ID: 4811f54dc325868474f7d0955c719ce29b878a7cb8321f01db235881bf711089
                                        • Instruction ID: 1564ada9ce7401fa517a196acf9bb31a8b50c2a774c9d6477b7e6268b48fca27
                                        • Opcode Fuzzy Hash: 4811f54dc325868474f7d0955c719ce29b878a7cb8321f01db235881bf711089
                                        • Instruction Fuzzy Hash: 19716675E00208ABDB15DFA8DD49BEEBBF9EF59704F114219F805A72A0DB70A904DF60
                                        Function 002FC4B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 002FC4EE
                                        • SetWindowPos.USER32(?,00000000,?,?,?,00000008,00000604), ref: 002FC6C1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Rect
                                        • String ID: AiDlgHeight$AiDlgWeight
                                        • API String ID: 3200805268-871102398
                                        • Opcode ID: ec900b1fff2d123f9cbd3affb38ddcc69cf5f638d92afba463017cefba2cf657
                                        • Instruction ID: 8fac785a3c81eb746ac0e0d51b40064e2cdce4fb32333cf0a2e75f5c68161794
                                        • Opcode Fuzzy Hash: ec900b1fff2d123f9cbd3affb38ddcc69cf5f638d92afba463017cefba2cf657
                                        • Instruction Fuzzy Hash: 66617E71D0024DEFDB04CFA8C945B9EFBB9EF48304F14816AE911AB291D774AA18CF94
                                        Function 003DF940 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,E48E37CD,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 003DF974
                                          • Part of subcall function 003A5170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,0049A8AD,000000FF), ref: 003A5188
                                          • Part of subcall function 003A5170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,0049A8AD,000000FF), ref: 003A51BB
                                          • Part of subcall function 002B2970: RaiseException.KERNEL32(?,?,00000000,00000000,00435A3C,C000008C,00000001,?,00435A6D,00000000,?,002A91C7,00000000,E48E37CD,00000001,?), ref: 002B297C
                                          • Part of subcall function 002A9B10: RtlAllocateHeap.NTDLL(?,00000000,?,E48E37CD,00000000,0045D840,000000FF,?,?,00539A1C,?,003DBB18,80004005,E48E37CD), ref: 002A9B5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateExceptionHeapObjectRaiseSingleWait
                                        • String ID: *.*$.jar$.pack
                                        • API String ID: 2917691982-3892993289
                                        • Opcode ID: 99f83a1e5ff1806182c070346a9e64de4b38190717784336c52a4612122080a5
                                        • Instruction ID: 561e9bec4a34aa12f36ac18dd2afc6ec881549ee529e4be6d3dd2b52074163d1
                                        • Opcode Fuzzy Hash: 99f83a1e5ff1806182c070346a9e64de4b38190717784336c52a4612122080a5
                                        • Instruction Fuzzy Hash: 75518F71A0060A9FDB11DFA9D894BAEB7B4FF05314F15826AE426EB391DB34D904CF90
                                        Function 0030C2E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: P\T$T\T$Windows.UI.Xaml.Controls.CheckBox
                                        • API String ID: 0-3626274231
                                        • Opcode ID: 1c5347e6356d0e77c73066ef20203f5bf64b15f76af383c0d0639f0cf517e1d8
                                        • Instruction ID: b7a12414e66a7885d3c483c210737f2fc41a267eb188743ac183742fb9e9657f
                                        • Opcode Fuzzy Hash: 1c5347e6356d0e77c73066ef20203f5bf64b15f76af383c0d0639f0cf517e1d8
                                        • Instruction Fuzzy Hash: 0D518FB1D11219DBDB01DF94C985BEEBBB8FB04714F10452AE915A73C1DBB45A08CBE1
                                        Function 002F4340 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ([T$,[T$Windows.UI.Xaml.Controls.ListBoxItem
                                        • API String ID: 0-881870976
                                        • Opcode ID: 4f9783ebf2b8f9d9e42a48ab5a2f538f82b2d8e4b25bb8b19ae860eb17732430
                                        • Instruction ID: 32e7e28bf13bc10cd8ca8880c302ec54276d2fcf80a72e33f00f8dafb9dee871
                                        • Opcode Fuzzy Hash: 4f9783ebf2b8f9d9e42a48ab5a2f538f82b2d8e4b25bb8b19ae860eb17732430
                                        • Instruction Fuzzy Hash: E0519FB191061ADBDB04DF94C945BEFFBB8FB04714F10452AE911A7381D7B45A04CBE1
                                        Function 00308830 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \T$$\T$Windows.Foundation.Uri
                                        • API String ID: 0-481313770
                                        • Opcode ID: 323dc1d7087c4e7a9682f2f797b4b3ec91cf598b88eaafc04dc42b868872bc76
                                        • Instruction ID: de97e91ad8e5dc8a37e1c0e5eddbf0826d6102d58b884c4c785f94d2a6d05097
                                        • Opcode Fuzzy Hash: 323dc1d7087c4e7a9682f2f797b4b3ec91cf598b88eaafc04dc42b868872bc76
                                        • Instruction Fuzzy Hash: 24518CB1D1125ADBDB04DF94C981BEEBBB8FB04714F10452AE815A73C1DBB45A08CBD1
                                        Function 00310D60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.ComboBox$p\T$t\T
                                        • API String ID: 0-1935788850
                                        • Opcode ID: 598e4a51166cd9ea22cb59ad6d8f04ce4af3ec53d1b05dc827cc86ef25900a3a
                                        • Instruction ID: 13fb2660eb79a218ae27f97c8eb570cf723e7b791b42fe5a90d3c407d6c7e9c6
                                        • Opcode Fuzzy Hash: 598e4a51166cd9ea22cb59ad6d8f04ce4af3ec53d1b05dc827cc86ef25900a3a
                                        • Instruction Fuzzy Hash: F751A0B1D0061ADFCB05DFA8C985BEEBBB8FB04718F10452AE811A7381D7B45A44CBE1
                                        Function 002F5470 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.ListViewItem$x[T$|[T
                                        • API String ID: 0-936118318
                                        • Opcode ID: b2fbf1235de493ff7bc429a8f573223023b84624cefba1e3ade9326e3ecf1ff7
                                        • Instruction ID: 5b960429e5fda64e1b1b2dca2ba1c6ef558319523e8107171f423e1a09f6abe6
                                        • Opcode Fuzzy Hash: b2fbf1235de493ff7bc429a8f573223023b84624cefba1e3ade9326e3ecf1ff7
                                        • Instruction Fuzzy Hash: 79516FB191061ADBDB01DFA4C946BEEFBB4FB04718F10452AE911A7381D7745A04CBD1
                                        Function 002F3620 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.Grid$ZT$ZT
                                        • API String ID: 0-3490141095
                                        • Opcode ID: 4ce0ff4c21c9a8b316c18cd7f12adf5426dfc1d6e53b2866b6db940565d906da
                                        • Instruction ID: c9f7e4bd97f0649da47019d445a83f792499d8a634d0b6f837dbe2f780abaec6
                                        • Opcode Fuzzy Hash: 4ce0ff4c21c9a8b316c18cd7f12adf5426dfc1d6e53b2866b6db940565d906da
                                        • Instruction Fuzzy Hash: 99516DB1D1061ADBDB00DF94C985BEEFBB8FB04715F10452AE911A7381D7B55A08CBD1
                                        Function 002F1D30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.TreeView$XZT$\ZT
                                        • API String ID: 0-810584018
                                        • Opcode ID: f4757bd67373f19e4717091db4fb65c84742170ef1f828560ae67429b01d75ec
                                        • Instruction ID: 63a08554fc224c55ad0d9e7bf56cafad1fa5fa34058d495e7c0de1448c43875d
                                        • Opcode Fuzzy Hash: f4757bd67373f19e4717091db4fb65c84742170ef1f828560ae67429b01d75ec
                                        • Instruction Fuzzy Hash: 39518CB191025AEBDB00DF94C985BEEFBB8FB04718F10452AE911A7381D7B45A18CBD1
                                        Function 002F1FA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.ProgressBar$hZT$lZT
                                        • API String ID: 0-1479912524
                                        • Opcode ID: 509e03d3de308fd0d18b77c3dfe830d6e10e12d9a6b545713cf82955137c12a6
                                        • Instruction ID: 1abd054072ec67f761c4c32cd1b32b16cab3c27e7fde8fa1d61595ccaef19d40
                                        • Opcode Fuzzy Hash: 509e03d3de308fd0d18b77c3dfe830d6e10e12d9a6b545713cf82955137c12a6
                                        • Instruction Fuzzy Hash: C4517DB191021ADBDB00DF94C985BEEFBB8FB05719F10452AE911A7381DBB55A08CBE1
                                        Function 00327F80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ]T$$]T$Windows.UI.Xaml.Controls.TreeViewNode
                                        • API String ID: 0-4113699014
                                        • Opcode ID: 5969fd82fbccf17885c795d78d3bd393f07d4c69ddf8502baf89a38f36fa518b
                                        • Instruction ID: 6bf7d1ac35542ad52a03b6520f867e3e83020edd62a435791e136775a9a15174
                                        • Opcode Fuzzy Hash: 5969fd82fbccf17885c795d78d3bd393f07d4c69ddf8502baf89a38f36fa518b
                                        • Instruction Fuzzy Hash: 60519CB1D00219EBDB05DF98D945BEEBBB8FB04718F10452AE801A7381DB746A08CBE1
                                        Function 002F48C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H[T$L[T$Windows.UI.Text.FontWeights
                                        • API String ID: 0-1129277418
                                        • Opcode ID: 658e2ab5d497441732b714a1cfc5af8c3af4c1f7f0ccee234ba25bf70f5728ca
                                        • Instruction ID: 956315a345f0deca8c6d752ca800e711e0f784ceca8b957001ad6fd7d7cba267
                                        • Opcode Fuzzy Hash: 658e2ab5d497441732b714a1cfc5af8c3af4c1f7f0ccee234ba25bf70f5728ca
                                        • Instruction Fuzzy Hash: 36516CB091025ADFDB11DFA8D842BAEFBB4FB05718F10456AE911A7381E7B45A08CBD1
                                        Function 00305E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(013CE460,E48E37CD,013CE460), ref: 00305E41
                                        • GetCurrentThreadId.KERNEL32 ref: 00305E51
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00305E77
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: cw
                                        • API String ID: 2351996187-348920815
                                        • Opcode ID: 0462889de84b3ebd7b93adf48c2953435e7897b002d129265558da0c15d82a54
                                        • Instruction ID: c76801a8793ce63ae2a5da64b8bc8a28b9a0527e7a952f98139ea228b1d7b2d4
                                        • Opcode Fuzzy Hash: 0462889de84b3ebd7b93adf48c2953435e7897b002d129265558da0c15d82a54
                                        • Instruction Fuzzy Hash: 4F41EE71A01916AFDB11CF58C891BABF7A8FB44314F118329E865D7280D731EE58CBD0
                                        Function 002F86F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(00000000,00000005,?,?,?), ref: 002F881F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID: (0C$|f/$|f/
                                        • API String ID: 1268545403-4180785344
                                        • Opcode ID: 94248853f5d4d0824a7af270911dbc6f8efa8186940e7744c790fe72970668d5
                                        • Instruction ID: d2d805192c8c450cadbae762c792469074ac2732658b476f67ec1ce412c8f507
                                        • Opcode Fuzzy Hash: 94248853f5d4d0824a7af270911dbc6f8efa8186940e7744c790fe72970668d5
                                        • Instruction Fuzzy Hash: 28418A34901209EFDB11DFA4C849BDEFBB4EF08304F24416DE815AB292DB75AA04CF90
                                        Function 002D2730 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(00545968,00545958,Windows.Management.Deployment.PackageManager,0000002C,E48E37CD,?,?,?,00545954,00466017,000000FF), ref: 002D2808
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: PYT$TYT$Windows.Management.Deployment.PackageManager
                                        • API String ID: 4129690577-2628066133
                                        • Opcode ID: 2592a3307a5c9a28f161199ca516625341513810fdeffe943ea482defb678ea4
                                        • Instruction ID: 1b415265947acfd840636ed14be3335e86ea4b678f7747559340c0e4cea51b5f
                                        • Opcode Fuzzy Hash: 2592a3307a5c9a28f161199ca516625341513810fdeffe943ea482defb678ea4
                                        • Instruction Fuzzy Hash: 78318B7191021AEBDB00CF94C945BEEFBB4FB15714F10412AE814AB381E7B45E18CBD1
                                        Function 002F2211 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(00545968,00545A80,Windows.UI.Xaml.Controls.Image,0000001E,E48E37CD), ref: 002F22E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.UI.Xaml.Controls.Image$xZT$|ZT
                                        • API String ID: 4129690577-3037087256
                                        • Opcode ID: da15cdffe9b63e588760fe33389ee46198c1676c23693b7e3af34796d03fdbd9
                                        • Instruction ID: a15e2ffba27dafccd49656896a7c5c457ccbd12a3347c3fa8d1bf0cc0d2f856f
                                        • Opcode Fuzzy Hash: da15cdffe9b63e588760fe33389ee46198c1676c23693b7e3af34796d03fdbd9
                                        • Instruction Fuzzy Hash: 92317CB191065AEBDB00CFA4C985BEEFBB4FF15315F10412AE810A7391E7B55A08CBD2
                                        Function 0030C0F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(00545968,00545B70,Windows.Foundation.PropertyValue,00000020,E48E37CD,?,?), ref: 0030C1C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.Foundation.PropertyValue$h[T$l[T
                                        • API String ID: 4129690577-3456098058
                                        • Opcode ID: 4d10fcf5644b86900d7f86d2cf83c93ef4bec5fe3b5992a85786ead691fd8032
                                        • Instruction ID: b1dcbd87464365580306095d58729c706cd30dba7a6b58b9770c2dbbc893f666
                                        • Opcode Fuzzy Hash: 4d10fcf5644b86900d7f86d2cf83c93ef4bec5fe3b5992a85786ead691fd8032
                                        • Instruction Fuzzy Hash: DE31AE71911219DBDB05DF94C956BEEFBB4FB05718F10412AE811772C2DBB45A08CBD1
                                        Function 00304A00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(00545968,00545B70,Windows.Foundation.PropertyValue,00000020,E48E37CD,00000000,00000000), ref: 00304AD6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.Foundation.PropertyValue$h[T$l[T
                                        • API String ID: 4129690577-3456098058
                                        • Opcode ID: 4d10fcf5644b86900d7f86d2cf83c93ef4bec5fe3b5992a85786ead691fd8032
                                        • Instruction ID: 7024b64c24281ef2ff997891e298fc562230b4d983d645cc9457070b13e3b105
                                        • Opcode Fuzzy Hash: 4d10fcf5644b86900d7f86d2cf83c93ef4bec5fe3b5992a85786ead691fd8032
                                        • Instruction Fuzzy Hash: 6B319CB1901219DBDB01DF94C856BEEBBB4FB05718F10402AE911772C1DBB45B08CBD1
                                        Function 00319A20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(00545968,00545B70,Windows.Foundation.PropertyValue,00000020,E48E37CD,?,?), ref: 00319AF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.Foundation.PropertyValue$h[T$l[T
                                        • API String ID: 4129690577-3456098058
                                        • Opcode ID: 144b92a0c371c10d678478de4261949e7e1d791248eba0cb6c0e3bce5234fb69
                                        • Instruction ID: 74a060cbea37e90ef4fcbb9a0ae952b0d7f3340b020f721b028df2a4fe403244
                                        • Opcode Fuzzy Hash: 144b92a0c371c10d678478de4261949e7e1d791248eba0cb6c0e3bce5234fb69
                                        • Instruction Fuzzy Hash: A131BA70900219DBCB05DFA4C852BEEFBB4FF08718F10402AE8016B2C1DBB41A48CBD2
                                        Function 00306040 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(E48E37CD,E48E37CD), ref: 00306080
                                        • GetCurrentThreadId.KERNEL32 ref: 00306093
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00306111
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: cw
                                        • API String ID: 2351996187-348920815
                                        • Opcode ID: f464e5ef514046c62a9fc1a15b344693ba5a222fca808f2ce6c101406685d697
                                        • Instruction ID: 7b49a34180bb6e30d5636f06c68d0dc7f777b804c8415e57c2fe0caa3e41141c
                                        • Opcode Fuzzy Hash: f464e5ef514046c62a9fc1a15b344693ba5a222fca808f2ce6c101406685d697
                                        • Instruction Fuzzy Hash: 5531BF71904644DFDB12CF59C84679EBBF4EF09314F14816DE895A33A1E775AA04CB90
                                        Function 002D4B50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 002D4B92
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 002D4B98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RoOriginateLanguageException$combase.dll
                                        • API String ID: 2574300362-3996158991
                                        • Opcode ID: 7d5ecc93ee863025578f2404f5ede602971f69000ebd2cc54a84d855a65226d3
                                        • Instruction ID: 7ed5f524acc7091364cb0db634492b216e25f1fb7dd56f6fdd14d9fdd5c3f317
                                        • Opcode Fuzzy Hash: 7d5ecc93ee863025578f2404f5ede602971f69000ebd2cc54a84d855a65226d3
                                        • Instruction Fuzzy Hash: 38318F30914209EFDB14EFA8C941BAEB7B4EB04314F10452BE825A73C0E7789E54CB91
                                        Function 003D2140 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,003D029A,?,E48E37CD,?,?,?,000000FF,?), ref: 003D2154
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,003D029A,?,E48E37CD,?,?,?,000000FF,?,003CFC64), ref: 003D2171
                                        • GetLastError.KERNEL32(?,E48E37CD,?,?,?,000000FF,?,003CFC64,?,?,00000000,00000000,E48E37CD,?,?), ref: 003D21D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CreateEvent$ErrorLast
                                        • String ID: AdvancedInstaller
                                        • API String ID: 1131763895-1372594473
                                        • Opcode ID: 9e20daf372e15df2cf8214315ceb113a3b28202f7738d4c09d36345e4a791fa5
                                        • Instruction ID: 5322dc6aad711804aaf957f3dbac996eac676bf85f9ae89c3ddd46e1a5065090
                                        • Opcode Fuzzy Hash: 9e20daf372e15df2cf8214315ceb113a3b28202f7738d4c09d36345e4a791fa5
                                        • Instruction Fuzzy Hash: D4118E72340602BBE711DB22EC89F56BBA4BB54704F12842AF6059B690CB70B851CBA4
                                        Function 002F95E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Destroy
                                        • String ID: Eg/$Eg/
                                        • API String ID: 3707531092-89372140
                                        • Opcode ID: e7591b31b3ab5d87d755fd8d4a848199f1b2acb8ae2f684dbc8bf94daebb4ffc
                                        • Instruction ID: e8b35b50e99e6379859227c4495d093d5212633a3c2c3029a9c063bc836094a6
                                        • Opcode Fuzzy Hash: e7591b31b3ab5d87d755fd8d4a848199f1b2acb8ae2f684dbc8bf94daebb4ffc
                                        • Instruction Fuzzy Hash: 68210E30904689EFCB01CF68C904BDDFBF8FB05714F10826AE42597290CBB5AA04CB90
                                        Function 00381F50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00382470: __Init_thread_footer.LIBCMT ref: 00382500
                                          • Part of subcall function 00382470: GetProcAddress.KERNEL32(SetWindowTheme), ref: 0038253D
                                          • Part of subcall function 00382470: __Init_thread_footer.LIBCMT ref: 00382554
                                          • Part of subcall function 00382470: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 0038257F
                                        • CreateWindowExW.USER32(80000000,SysListView32,?,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00381FA2
                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00381FC0
                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00381FC8
                                          • Part of subcall function 002B0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 002B0DE6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSend$Init_thread_footerWindow$AddressCreateLongProc
                                        • String ID: SysListView32
                                        • API String ID: 605634508-78025650
                                        • Opcode ID: e0d7128e29678b7ac043c48d38dd032a344c8d9eef39963193e5b949cba0cd2a
                                        • Instruction ID: 9cb72a50303c9ceaab777f82aebb9087f44be3215f330f069bc75fae72b61b99
                                        • Opcode Fuzzy Hash: e0d7128e29678b7ac043c48d38dd032a344c8d9eef39963193e5b949cba0cd2a
                                        • Instruction Fuzzy Hash: 7F117935341310AFD625AB158C05F9BFBE9FBCA750F054659FA44AB2A1C6B1AC00DBA1
                                        Function 003829C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(46030080,RichEdit20W,?,00000000,46030080,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00382A0B
                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00382A23
                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00382A2B
                                          • Part of subcall function 002B0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 002B0DE6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$CreateLong
                                        • String ID: RichEdit20W
                                        • API String ID: 4015368215-4173859555
                                        • Opcode ID: 7140fc53616db744416a6a4b19b82a9c186a4a1ae3e237bf0dcd2ae89d421085
                                        • Instruction ID: 53caf55d0108822dcfda5885eaa7e0e174198627cd5a442e24c68d32c0c36e40
                                        • Opcode Fuzzy Hash: 7140fc53616db744416a6a4b19b82a9c186a4a1ae3e237bf0dcd2ae89d421085
                                        • Instruction Fuzzy Hash: 97015735341210AFD6159B15DC05F9BFBE9FBCA760F15821AFA48A73A0C6B1AC00DEA1
                                        Function 00304830 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 00304881
                                        • GetParent.USER32(?), ref: 0030488A
                                        • SendMessageW.USER32(?,00000411,00000000,?), ref: 0030489F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Parent$MessageSend
                                        • String ID: ,
                                        • API String ID: 2251359880-3772416878
                                        • Opcode ID: 79fe506ba16bba300d8f12626e58fc2c1b976cfa36acaeade1288522569740f6
                                        • Instruction ID: 533219d8971c6a8e399d9066e5562c8341b5b4bd0628736399f1747500f85354
                                        • Opcode Fuzzy Hash: 79fe506ba16bba300d8f12626e58fc2c1b976cfa36acaeade1288522569740f6
                                        • Instruction Fuzzy Hash: BA11C0B1515300AFDB11DF14DC44B1BFBE4FB89300F01892AF61482290C7B2E914CF92
                                        Function 002C3E70 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 9bcd90a5b09a9420a019098639354d7dbf3a7423987db6d628c68eba3e09460a
                                        • Instruction ID: 7099d87bc7a46d9b378cdc7697885f8bade0b5bb471671d647d1483ae5c21a42
                                        • Opcode Fuzzy Hash: 9bcd90a5b09a9420a019098639354d7dbf3a7423987db6d628c68eba3e09460a
                                        • Instruction Fuzzy Hash: 84A17674910209DFCB10DFA8C884BDEBBB4FF58304F258269E408A7391E774AA59CF95
                                        Function 002C2F00 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 235bcfd304fbea05ee4b4d1d4c78e132d35b22d95e2471f53880d39d489a3ff9
                                        • Instruction ID: 817ebf4d638a21a598998eed618a5325a3a7cd3239ddd42edc847c1111725055
                                        • Opcode Fuzzy Hash: 235bcfd304fbea05ee4b4d1d4c78e132d35b22d95e2471f53880d39d489a3ff9
                                        • Instruction Fuzzy Hash: 0881C030910348DFDB10DFA8C844B9EFBB4EF05704F24825DE808AB391E774AA49CB91
                                        Function 002B4650 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(00000000), ref: 002B46F0
                                        • SysFreeString.OLEAUT32(00000000), ref: 002B4731
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: FreeString
                                        • String ID:
                                        • API String ID: 3341692771-0
                                        • Opcode ID: 887356af4e2365775ff891d0a95a17401096824d646207f1135ad4f34817a17d
                                        • Instruction ID: 7277514d865cb9de2c347face18c01ba6edf11ee5d86c2bb46afcebfe186a7a3
                                        • Opcode Fuzzy Hash: 887356af4e2365775ff891d0a95a17401096824d646207f1135ad4f34817a17d
                                        • Instruction Fuzzy Hash: 0361A076A04209EFDB10DF58D884B9ABBB8FB45760F10416AFC1497391DB76ED20DBA0
                                        Function 002D4140 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 122memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,E48E37CD), ref: 002D4209
                                        • HeapFree.KERNEL32(00000000,?,?,E48E37CD), ref: 002D420F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: tYT$tYT
                                        • API String ID: 3859560861-411996263
                                        • Opcode ID: 7491515543188b3b54534c86ce3cb5da65972efbc613aa0af8ca7e4acebcaf84
                                        • Instruction ID: d4ec977e5560a369ee840a42318f99819aec63bf56e4ed4db5428d7af33d8a98
                                        • Opcode Fuzzy Hash: 7491515543188b3b54534c86ce3cb5da65972efbc613aa0af8ca7e4acebcaf84
                                        • Instruction Fuzzy Hash: 62310531914609DBDB21EF69DC45B9AB7A8EB45734F24432FFC25977C1D738AD008AA0
                                        Function 002BCCF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(E48E37CD,E48E37CD,?), ref: 002BCD2F
                                        • EnterCriticalSection.KERNEL32(?,E48E37CD,?), ref: 002BCD3C
                                        • LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 002BCE13
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: cw
                                        • API String ID: 3991485460-348920815
                                        • Opcode ID: 46cfaa1421ebd3b08652fee351246e6298f876f944f58bbf9c9a1c4a09dbea2b
                                        • Instruction ID: 6af956548fb07271383f4a2b3a0b53dcc495455d18d90ee6f8688e8e59e73a7e
                                        • Opcode Fuzzy Hash: 46cfaa1421ebd3b08652fee351246e6298f876f944f58bbf9c9a1c4a09dbea2b
                                        • Instruction Fuzzy Hash: 3F4116792107068FCB21DF38C841BEABBB5EF56350F204539E596D7391CB31A825DB90
                                        Function 003BC6B0 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,?,00000000,00000000), ref: 003BC70F
                                        • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 003BC71C
                                        • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 003BC739
                                        • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 003BC75B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: 9058b719bd9b9e20a8433d49433653c6a97e549eb585ef2bcf57652fb88c46da
                                        • Instruction ID: 8ae52471eaa98a621acf902bd2f0e8c43c78bfd9fcb9923f428d982449a5f419
                                        • Opcode Fuzzy Hash: 9058b719bd9b9e20a8433d49433653c6a97e549eb585ef2bcf57652fb88c46da
                                        • Instruction Fuzzy Hash: 9A2145B27403067BE7209F14EC92FAB775CEB40B08F240128FB019B5C0EBA17D058A64
                                        Function 002F642D Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                        Download Yara Rule
                                        APIs
                                        • MulDiv.KERNEL32(00000010,?,00000060), ref: 002F6467
                                        • GetWindowRect.USER32(?,?), ref: 002F64B6
                                        • GetWindowLongW.USER32(?,000000EC), ref: 002F64DF
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,?,00000060), ref: 002F6571
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$LongRect
                                        • String ID:
                                        • API String ID: 463821813-0
                                        • Opcode ID: f0111397e293ba0a2af52e3b55570bc67d259a36a13c59ba46292333c3caf003
                                        • Instruction ID: cab86a81ee5461e96cbd6e7255fc2cedbee0945a2e03d6f74d713fbbe961f13e
                                        • Opcode Fuzzy Hash: f0111397e293ba0a2af52e3b55570bc67d259a36a13c59ba46292333c3caf003
                                        • Instruction Fuzzy Hash: DD417B75108745AFC701DF28DC85AAAFBB4FF99304F044A2EFA8193260E771A898DF51
                                        Function 003A5170 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,0049A8AD,000000FF), ref: 003A5188
                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,0049A8AD,000000FF), ref: 003A51BB
                                        • GetStdHandle.KERNEL32(000000F5,?,E48E37CD,00000000,0045D840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 003A5226
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,E48E37CD,00000000,0045D840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 003A522D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AttributeConsoleHandleText
                                        • String ID:
                                        • API String ID: 3849414675-0
                                        • Opcode ID: 14a896727861f8c648b0b2a1ce657d373b06c2580e5fc71429b7efd1d5d25b1c
                                        • Instruction ID: 6688c584a537693d7047ef5b3c6d06ba85f37f68360b35a1d59fbcd7f44e803d
                                        • Opcode Fuzzy Hash: 14a896727861f8c648b0b2a1ce657d373b06c2580e5fc71429b7efd1d5d25b1c
                                        • Instruction Fuzzy Hash: 8521D476705601AFD6109B59DC89F6AF76CEB85720F20432EFA25DB2D0CF305811CBA4
                                        Function 002F98E0 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 002F996F
                                        • GetParent.USER32(00000000), ref: 002F9977
                                        • GetParent.USER32(00000000), ref: 002F997C
                                        • SendMessageW.USER32(00000000,0000037F,00000000,?), ref: 002F998D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Parent$MessageSend
                                        • String ID:
                                        • API String ID: 2251359880-0
                                        • Opcode ID: 9f7870afab117b6eeae7e4e50b3d1afe018cf63ce4cb73e1ba16c0f6907e1fb9
                                        • Instruction ID: 8fe041e30971eb1939b2bd0be0315c389c87942c7ca8b0a1fd623e96eada86e8
                                        • Opcode Fuzzy Hash: 9f7870afab117b6eeae7e4e50b3d1afe018cf63ce4cb73e1ba16c0f6907e1fb9
                                        • Instruction Fuzzy Hash: 7A21C53261010A6BDB259B28EC84FFEF79CEFA1794F054539F601C2150EB71DDA1CA64
                                        Function 002B89D0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000FC,00000000), ref: 002B8A19
                                        • GetParent.USER32(?), ref: 002B8A4D
                                          • Part of subcall function 00435D0D: GetProcessHeap.KERNEL32(00000008,00000008,?,002B0DC7,?,?,002B0B74,?), ref: 00435D12
                                          • Part of subcall function 00435D0D: HeapAlloc.KERNEL32(00000000,?,?,002B0B74,?), ref: 00435D19
                                        • SetWindowLongW.USER32(?,000000EB), ref: 002B8A80
                                        • ShowWindow.USER32(?,00000000), ref: 002B8A96
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$HeapLong$AllocParentProcessShow
                                        • String ID:
                                        • API String ID: 78937335-0
                                        • Opcode ID: 08a2e41d15387d3c82869f8c8b227384cb7a7f92eb564673e6e9bd21cb202b1b
                                        • Instruction ID: 30cecd44536b01f8b2561ecf5ba63c706bb3e8401962dfbc34d07b1600cc97c9
                                        • Opcode Fuzzy Hash: 08a2e41d15387d3c82869f8c8b227384cb7a7f92eb564673e6e9bd21cb202b1b
                                        • Instruction Fuzzy Hash: A12171746047029FC720EF29D849A6BBBE8FF59754B054A2EF49AC3661DB34E804CF61
                                        Function 002BCB20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,E48E37CD), ref: 002BCB8A
                                        • EnterCriticalSection.KERNEL32(?,E48E37CD), ref: 002BCB97
                                        • LeaveCriticalSection.KERNEL32(?), ref: 002BCBE8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: cw
                                        • API String ID: 3991485460-348920815
                                        • Opcode ID: f8f7c8ca432677ecb12d514a34b2360efb81a50da08953428b692a933b1f3b1e
                                        • Instruction ID: ac456302697957e49080a76615add1574dc7d15cfd930e7ddb71faaf9d076a7a
                                        • Opcode Fuzzy Hash: f8f7c8ca432677ecb12d514a34b2360efb81a50da08953428b692a933b1f3b1e
                                        • Instruction Fuzzy Hash: 1E21E5369002459FDF11DF64CC45BEABBB4FB16328F2005B9EC59AB382D7315909CB60
                                        Function 002BCC10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,E48E37CD), ref: 002BCC7A
                                        • EnterCriticalSection.KERNEL32(?,E48E37CD), ref: 002BCC87
                                        • LeaveCriticalSection.KERNEL32(?), ref: 002BCCCE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: cw
                                        • API String ID: 3991485460-348920815
                                        • Opcode ID: f5242bfa6bd4245b02fa7571afbe1a58f4b4434a6d50439467fc6eb55c1b8ce8
                                        • Instruction ID: 55e10fc4fd87cf6f98fc0e9767ba1d06d37e82d0764d41eb518e0f1eefa5d965
                                        • Opcode Fuzzy Hash: f5242bfa6bd4245b02fa7571afbe1a58f4b4434a6d50439467fc6eb55c1b8ce8
                                        • Instruction Fuzzy Hash: 6C21C4759002459FDF11DF64CC45BE9BBB8FF25324F2006AAEC59AB392D7315909CBA0
                                        Function 002BCA60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,E48E37CD,?), ref: 002BCABD
                                        • EnterCriticalSection.KERNEL32(?,E48E37CD,?), ref: 002BCACA
                                        • LeaveCriticalSection.KERNEL32(?), ref: 002BCAF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: cw
                                        • API String ID: 3991485460-348920815
                                        • Opcode ID: 9b1428e730e2ef0bc8ccb2b2166a5b21325925bf4e22d0debc70eedea85d7f22
                                        • Instruction ID: 13ea7b0bf3aac19e7686930ee3ec4f8694e593bc5e60fad614636e0b379eca22
                                        • Opcode Fuzzy Hash: 9b1428e730e2ef0bc8ccb2b2166a5b21325925bf4e22d0debc70eedea85d7f22
                                        • Instruction Fuzzy Hash: 632129379042499FCF01CF64CC40BEABF78EB16324F2006ADD855A7381D7325A09CBA0
                                        Function 0033F9D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 255windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(00000000,?), ref: 0033FAD1
                                        • SendMessageW.USER32(00000000,00000317,?,00000014), ref: 0033FB65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: MessageRectSendWindow
                                        • String ID: U2C
                                        • API String ID: 2814762282-2543022354
                                        • Opcode ID: 33594be1d0fb07d069798bbc3be82438acd3ed66de29bca74f665e5c8e2bb7b0
                                        • Instruction ID: 16fcb52b4c2455a712afff8744e7f73de8053c3e6c30a3eaef4534d435bdd7b3
                                        • Opcode Fuzzy Hash: 33594be1d0fb07d069798bbc3be82438acd3ed66de29bca74f665e5c8e2bb7b0
                                        • Instruction Fuzzy Hash: CEB187B4E00609DFCB15CFA8C984B9DFBB4FF49304F198229E805AB351D770A955CB90
                                        Function 003E0320 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                        • DeleteFileW.KERNEL32(?), ref: 003E03FA
                                        • DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 003E052F
                                          • Part of subcall function 003CF280: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,E48E37CD,00000001,7597EB20,00000000), ref: 003CF2CF
                                          • Part of subcall function 003CF280: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,E48E37CD,00000001,7597EB20,00000000), ref: 003CF305
                                          • Part of subcall function 003CC7E0: LoadStringW.USER32(000000A1,?,00000514,E48E37CD), ref: 003CC836
                                        Strings
                                        • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 003E03AE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: File$DeleteInit_thread_footer$CreateHeapLoadProcessReadString
                                        • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                        • API String ID: 3544038457-3685554107
                                        • Opcode ID: 535bc1537ba0ab8b6cb7086dd9aaca90d55397808c42d5b72e2b95e16b811c63
                                        • Instruction ID: 5d3338ebdf0a7706b1d2055fd16a6e297ef95e3dfd14fb02494c9865c3412c87
                                        • Opcode Fuzzy Hash: 535bc1537ba0ab8b6cb7086dd9aaca90d55397808c42d5b72e2b95e16b811c63
                                        • Instruction Fuzzy Hash: 8691E031A006499FDB01DF69C844B9EBBB5EF45324F1882A9E815DB2E2DB70DD04CF90
                                        Function 003C4C40 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDefaultLangID.KERNEL32(E48E37CD,-00000044,?,-00000048,00000000), ref: 003C4C76
                                          • Part of subcall function 002A9E50: GetProcessHeap.KERNEL32 ref: 002A9EA5
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9ED7
                                          • Part of subcall function 002A9E50: __Init_thread_footer.LIBCMT ref: 002A9F62
                                          • Part of subcall function 003C4050: GetLocaleInfoW.KERNEL32(?,00000002,004C337C,00000000), ref: 003C40C1
                                          • Part of subcall function 003C4050: GetLocaleInfoW.KERNEL32(?,00000002,003C3B85,-00000001,00000078,-00000001), ref: 003C40FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: InfoInit_thread_footerLocale$DefaultHeapLangProcessSystem
                                        • String ID: SystemDefault LangID=$T`T
                                        • API String ID: 185108660-2467999230
                                        • Opcode ID: b84c776f5545f21c1e3a671a655583eb1eb91f10daa252e429b106791374d494
                                        • Instruction ID: c51beb8a285ca690b56325701ba1a71a7a3da4bce2d9219195db3de7e257b9c2
                                        • Opcode Fuzzy Hash: b84c776f5545f21c1e3a671a655583eb1eb91f10daa252e429b106791374d494
                                        • Instruction Fuzzy Hash: 9A51C031A006159BDB11DB6CCC59BAAB7B5FF41321F1583ADE826DB2D2DB34AD01CB90
                                        Function 002ED130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00436662: EnterCriticalSection.KERNEL32(00544CD8,?,?,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 0043666D
                                          • Part of subcall function 00436662: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9EF6,00545904,E48E37CD,?,?,0045DE0D,000000FF,?,003DBABC,E48E37CD), ref: 004366AA
                                        • __Init_thread_footer.LIBCMT ref: 002ED28D
                                          • Part of subcall function 00436618: EnterCriticalSection.KERNEL32(00544CD8,?,?,002A9F67,00545904,004B6640), ref: 00436622
                                          • Part of subcall function 00436618: LeaveCriticalSection.KERNEL32(00544CD8,?,002A9F67,00545904,004B6640), ref: 00436655
                                          • Part of subcall function 00436618: RtlWakeAllConditionVariable.NTDLL ref: 004366CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                        • String ID: ItemData$Windows.UI.Xaml.Controls.ListViewItem
                                        • API String ID: 2296764815-2445763458
                                        • Opcode ID: 2e37e4d0a80e5c9236da95710d5e6bb603fd8295eda4edfcae8c6d93b6f66486
                                        • Instruction ID: 5380416488675e11825f963b97cbdaf93afe93f4eb09e232606a98b911fa4f59
                                        • Opcode Fuzzy Hash: 2e37e4d0a80e5c9236da95710d5e6bb603fd8295eda4edfcae8c6d93b6f66486
                                        • Instruction Fuzzy Hash: AC718E70901289EFDB05DFA8C905BDEBBB0BF15308F148259E815672C1D7B99A18DFA2
                                        Function 00393C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathIsUNCW.SHLWAPI(?,E48E37CD,00000000,00000000), ref: 00393D11
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Path
                                        • String ID: \\?\$\\?\UNC\
                                        • API String ID: 2875597873-3019864461
                                        • Opcode ID: d8585bc1b285db782f906ae64c729eace4b07c3afc673522627b0f5ea2d4f1f0
                                        • Instruction ID: 325eec93eaddb034798661c607bf636bee64ade0415847b9e770d6cde64fa500
                                        • Opcode Fuzzy Hash: d8585bc1b285db782f906ae64c729eace4b07c3afc673522627b0f5ea2d4f1f0
                                        • Instruction Fuzzy Hash: A751CEB1D10604DBDF15DF68D889BAEB7F5FF49704F20811DE8116B281EB756A48CBA0
                                        Function 003D8550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?,E48E37CD,?,?,00546054), ref: 003D858F
                                        • CreateDirectoryW.KERNEL32(?,00000000,?,00546054), ref: 003D85F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryPathTemp
                                        • String ID: ADVINST_LOGS
                                        • API String ID: 2885754953-2492584244
                                        • Opcode ID: cf6681609e04f68bad7634826f503b061211210953c57df780a2f2cc53c03aaf
                                        • Instruction ID: 08f0a7aa267f8080b1440d4953de51da1f34625d992f08361b2e52cf1bf192cc
                                        • Opcode Fuzzy Hash: cf6681609e04f68bad7634826f503b061211210953c57df780a2f2cc53c03aaf
                                        • Instruction Fuzzy Hash: FB51E376900219CBCB219F28D844BB6B3B4FF14724F2546AFE94997390EF74AD81CB90
                                        Function 002B7110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCloseKey.ADVAPI32(00000000,00000000,?,00000002,004C337C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,E48E37CD), ref: 002B7280
                                          • Part of subcall function 0038DDA0: GetModuleHandleW.KERNEL32(Advapi32.dll,E48E37CD,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 0038DDE3
                                        • CloseHandle.KERNEL32(?,E48E37CD), ref: 002B72B9
                                        Strings
                                        • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 002B7178
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CloseHandle$Module
                                        • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
                                        • API String ID: 1412095732-2431777889
                                        • Opcode ID: 1f6645c20ee49ad2098a1875662167d5b77d2fb0187f131c601b31c8e6903b7c
                                        • Instruction ID: 8cc8530f25ab10233cb40f7295228604337dc5e7b6372ab1200a40a592f18e05
                                        • Opcode Fuzzy Hash: 1f6645c20ee49ad2098a1875662167d5b77d2fb0187f131c601b31c8e6903b7c
                                        • Instruction Fuzzy Hash: 0D514770D14248DBDB20DFA4CD59BDEBBB4AF14304F108199E445B7281DBB46A48CFA5
                                        Function 00452981 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044DBDD: RtlFreeHeap.NTDLL(00000000,00000000,?,0045221D,?,00000000,?,?,004524BE,?,00000007,?,?,00452B18,?,?), ref: 0044DBF3
                                          • Part of subcall function 0044DBDD: GetLastError.KERNEL32(?,?,0045221D,?,00000000,?,?,004524BE,?,00000007,?,?,00452B18,?,?), ref: 0044DBFE
                                        • ___free_lconv_mon.LIBCMT ref: 004529C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ErrorFreeHeapLast___free_lconv_mon
                                        • String ID: XS$pS
                                        • API String ID: 4068849827-569932662
                                        • Opcode ID: 61abd49d96065fd1667bf9e2e057668717230982f0dc05b8255683136d3247a6
                                        • Instruction ID: 7c8133f0ea26293141766542d6fcd144055b285f78e83da7cdbbe6d366c4c699
                                        • Opcode Fuzzy Hash: 61abd49d96065fd1667bf9e2e057668717230982f0dc05b8255683136d3247a6
                                        • Instruction Fuzzy Hash: E0317F31A003459FEB30AA3AD905F5777E5EF01315F11482FE895D7252DBB8BC448A18
                                        Function 002F8A90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: DestroySleepWindow
                                        • String ID: (0C
                                        • API String ID: 3305115879-4186761363
                                        • Opcode ID: cc5af74faadcaee13600348827c267ed86438c5331a97f0584fb83065853cf83
                                        • Instruction ID: a6dcbbc56d873c5d2c65ccd39efd6f1292b7f8b0e78949542fd302bf55b07b23
                                        • Opcode Fuzzy Hash: cc5af74faadcaee13600348827c267ed86438c5331a97f0584fb83065853cf83
                                        • Instruction Fuzzy Hash: EE418130A50348EFCB11DF68DC45BEDBBB5AF09740F1440A9E909AB292CB745E04DBA1
                                        Function 0045277F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 0045284F
                                        • __freea.LIBCMT ref: 0045285E
                                          • Part of subcall function 0044DC17: RtlAllocateHeap.NTDLL(00000000,00000000,0044D0E1,?,0044EE85,?,00000000,?,0043F625,00000000,0044D0E1,?,?,?,?,0044CEDB), ref: 0044DC49
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: AllocateHeapStringType__freea
                                        • String ID: `&+
                                        • API String ID: 4073780324-3639896150
                                        • Opcode ID: 5a52d66ab29f983f671ba40245352746cc87ab2d2ded0933e19252d6a24dbe08
                                        • Instruction ID: 8c1a90fd66e90fe9d51338e83850f6f567f061405b3f3b572fa639ec0173d275
                                        • Opcode Fuzzy Hash: 5a52d66ab29f983f671ba40245352746cc87ab2d2ded0933e19252d6a24dbe08
                                        • Instruction Fuzzy Hash: C531E171A0020AABCF20AFA5CC45EAF7BA5EF46711F04422BFC04A7252D778CC55C794
                                        Function 003A73D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,E48E37CD,004D9754), ref: 003A7428
                                        • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 003A7524
                                          • Part of subcall function 00399AC0: std::locale::_Init.LIBCPMT ref: 00399B9D
                                          • Part of subcall function 003972B0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00397385
                                        Strings
                                        • Failed to get Windows error message [win32 error 0x, xrefs: 003A7446
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
                                        • String ID: Failed to get Windows error message [win32 error 0x
                                        • API String ID: 1983821583-3373098694
                                        • Opcode ID: 0efd0d20b30ebc20ad619e518589258679fa735843713d5f3591b730d267aa43
                                        • Instruction ID: b44742c02ca93191cba31a701e5d07770d6cc32e4da7460a9828f125c54df2fc
                                        • Opcode Fuzzy Hash: 0efd0d20b30ebc20ad619e518589258679fa735843713d5f3591b730d267aa43
                                        • Instruction Fuzzy Hash: 43418070A043099BDB11DF68CD59BAFBBF8FF05704F104669E455EB290D7B89A08CB91
                                        Function 00315190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(00545968,00545CC8,Windows.UI.Xaml.Documents.Hyperlink,00000023,E48E37CD,00000004,000000FF,?,00545CC4,00466017,000000FF), ref: 00315268
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: PT1$Windows.UI.Xaml.Documents.Hyperlink
                                        • API String ID: 4129690577-488487626
                                        • Opcode ID: 2195f3d690044b366d0d9550078324155aa2b84e61f2c57745891c3a73a0670a
                                        • Instruction ID: 3e41e74d78ebc539be8b0553f48e14b7eb751cf50a75f235fbd888bf995b4427
                                        • Opcode Fuzzy Hash: 2195f3d690044b366d0d9550078324155aa2b84e61f2c57745891c3a73a0670a
                                        • Instruction Fuzzy Hash: 03317771900619DBDB05CF98C986BEEBBB4FB54718F10442AE800AB381EBB45E49CBD1
                                        Function 003F2050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenEventW.KERNEL32(00000000,00000000,00000001,_pbl_evt,00000008,?,?,004DA350,00000001,E48E37CD,00000000), ref: 003F20FE
                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 003F211B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Event$CreateOpen
                                        • String ID: _pbl_evt
                                        • API String ID: 2335040897-4023232351
                                        • Opcode ID: 91222f0b724ae2618a7b94e13cfb780b2fbd2751ea59165fbbecd0eb803fade7
                                        • Instruction ID: d8d039068949a40b1d81e12b5085de7ba65ac9779620b059d5e1d0e31aeeee63
                                        • Opcode Fuzzy Hash: 91222f0b724ae2618a7b94e13cfb780b2fbd2751ea59165fbbecd0eb803fade7
                                        • Instruction Fuzzy Hash: B8311871D10208EFDB10DFA8CD55BEEB7B4EB15714F108119E911B7280DB746A09CFA5
                                        Function 002AD640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000002), ref: 002AD6CB
                                        • IsWindow.USER32(00000002), ref: 002AD6E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window
                                        • String ID: H?L
                                        • API String ID: 2353593579-2793153261
                                        • Opcode ID: 6a9e0501638adbc858b164404b05620800661546854e9c8ea1bf455eee3d2b6c
                                        • Instruction ID: 57bcf4b88b1dcb53b2e3b4c95d6f25cbda40e7fff65cff50725eea5334ba5f06
                                        • Opcode Fuzzy Hash: 6a9e0501638adbc858b164404b05620800661546854e9c8ea1bf455eee3d2b6c
                                        • Instruction Fuzzy Hash: C72168346107059FCB28DF65D895F6BB7F9FF09B10F048A2DE46A87AA0CB35A914CB50
                                        Function 00396870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0039689B
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003968FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                        • String ID: bad locale name
                                        • API String ID: 3988782225-1405518554
                                        • Opcode ID: 19bb1b77dc3aa81c4df6047e96261b1d4fe960ad05010f44dd6cf5c7d51b0157
                                        • Instruction ID: 47a12a30b167d0ba21c635e42d094d45d4534be139f8d4a4b37e7ae10793b203
                                        • Opcode Fuzzy Hash: 19bb1b77dc3aa81c4df6047e96261b1d4fe960ad05010f44dd6cf5c7d51b0157
                                        • Instruction Fuzzy Hash: EC210270605784DFDB20CF69C80575ABFF4AF15304F14869EE08587781D7B9AA04CB95
                                        Function 003480F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 0034813A
                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00348147
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Destroy
                                        • String ID: {L
                                        • API String ID: 3707531092-1469069594
                                        • Opcode ID: f6f1068f8e7cfa43598785a2ba304b5fa0952c9bf70781ff8ea41df34db836b7
                                        • Instruction ID: 2716c141c286dab2805b3360630d5c9219b489b61f8a3769599323abdecdd806
                                        • Opcode Fuzzy Hash: f6f1068f8e7cfa43598785a2ba304b5fa0952c9bf70781ff8ea41df34db836b7
                                        • Instruction Fuzzy Hash: B331CB30804788EFCB00DF68C90479EFBF0BF11314F10829AE45497AD2CBB4AA18CB95
                                        Function 002A9190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00435A3D: EnterCriticalSection.KERNEL32(00544C5C,00000001,?,?,002A91C7,00000000,E48E37CD,00000001,?,?,?,-00000010,0045DD00,000000FF,?,002A93A0), ref: 00435A48
                                          • Part of subcall function 00435A3D: LeaveCriticalSection.KERNEL32(00544C5C,?,002A91C7,00000000,E48E37CD,00000001,?,?,?,-00000010,0045DD00,000000FF,?,002A93A0,?,00000001), ref: 00435A74
                                        • FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,E48E37CD,00000001,?,?,?,-00000010,0045DD00,000000FF,?,002A93A0,?), ref: 002A91E6
                                          • Part of subcall function 002A9250: LoadResource.KERNEL32(00000000,00000000,E48E37CD,00000001,00000000,?,00000000,0045D610,000000FF,?,002A91FC,?,?,?,-00000010,0045DD00), ref: 002A927B
                                          • Part of subcall function 002A9250: LockResource.KERNEL32(00000000,?,002A91FC,?,?,?,-00000010,0045DD00,000000FF,?,002A93A0,?,00000001,?,002B69F0,-00000010), ref: 002A9286
                                          • Part of subcall function 002A9250: SizeofResource.KERNEL32(00000000,00000000,?,002A91FC,?,?,?,-00000010,0045DD00,000000FF,?,002A93A0,?,00000001,?,002B69F0), ref: 002A9294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
                                        • String ID: HLT$HLT
                                        • API String ID: 529824247-1049769609
                                        • Opcode ID: 4770d01078323c04acf472a3882ad7079e9633d0f92eab44646c5aad5a1c2efb
                                        • Instruction ID: b80dfb7cb3cf5980236ba4879ec285c59686b5b7a17fb5eb519f32b7a0de9b69
                                        • Opcode Fuzzy Hash: 4770d01078323c04acf472a3882ad7079e9633d0f92eab44646c5aad5a1c2efb
                                        • Instruction Fuzzy Hash: 67113A36F446146BD3248F5AAC82B7AF3E8E789B64F00027EEC09D3380EF359C008690
                                        Function 004B66F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        • RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,E48E37CD,?,?,?,?,?,0045E74D,000000FF), ref: 004B673C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: DirectoryRemove
                                        • String ID: ,bT$8bT
                                        • API String ID: 597925465-591092549
                                        • Opcode ID: 046d078f0c481c87f5cf7a66e368f8e100d6f6322cfef4c02bb7faec1dfaeaad
                                        • Instruction ID: 094d6dfc5502c31f85d3d6474dbb365073fe49a5c4e3fe57cf596d67152e2b32
                                        • Opcode Fuzzy Hash: 046d078f0c481c87f5cf7a66e368f8e100d6f6322cfef4c02bb7faec1dfaeaad
                                        • Instruction Fuzzy Hash: 3311C279904604EFCB10DF58DC41B9AF7B9FB0A724F10436AE464A7390DB796D04CBA4
                                        Function 002C1200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000005), ref: 002C1274
                                        Strings
                                        • d, xrefs: 002C1240
                                        • C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 002C1249
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Parent
                                        • String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                        • API String ID: 975332729-3357045315
                                        • Opcode ID: 360726e7335e910e1bef1c73d1727830bec018f92044d46bf28d6f183253932f
                                        • Instruction ID: a53017b3eb273668b04e53fcf9d4783ca1c0e5ab2e216c54094aed277ed14ac5
                                        • Opcode Fuzzy Hash: 360726e7335e910e1bef1c73d1727830bec018f92044d46bf28d6f183253932f
                                        • Instruction Fuzzy Hash: 5F210474D15298EFDF00DFE4D958B8DBBB1BF15308F148098E405AB295CBB95A08CB81
                                        Function 002AD329 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 002AD375
                                        • d, xrefs: 002AD369
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: 235941f399c0e145c0862068abfd010eb6f35e383133df0b0c3e3c046c5b9d9f
                                        • Instruction ID: 6388dbc9c17e385239fb50e1998b462e89a06874b0e70d93053f798ab2e58aaa
                                        • Opcode Fuzzy Hash: 235941f399c0e145c0862068abfd010eb6f35e383133df0b0c3e3c046c5b9d9f
                                        • Instruction Fuzzy Hash: 3B210274D15298EFDF01DFE4D898B8DBBB1BF15308F108099D001AB295DBB85A08CF81
                                        Function 002ACF5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 002ACFA6
                                        • d, xrefs: 002ACF9D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: 10f0e7e29a6fe0a339b12fa4ab55b55028606bfc45102a1af488159515cd469c
                                        • Instruction ID: 4d53c99d7c627480a4b1c2cfcdf7028caee51bbee34f004469c64a1e4047e820
                                        • Opcode Fuzzy Hash: 10f0e7e29a6fe0a339b12fa4ab55b55028606bfc45102a1af488159515cd469c
                                        • Instruction Fuzzy Hash: BA211E78D15298EFDF01DFE0D898B9DBBB1BF15308F108099E001AB291DBB85A08CF95
                                        Function 002C12CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(0000000D), ref: 002C133B
                                        Strings
                                        • d, xrefs: 002C1305
                                        • C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 002C130E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Parent
                                        • String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                        • API String ID: 975332729-3357045315
                                        • Opcode ID: a18f8f55b4df2a1b9c97f3295904db879a42aff67ec7273ead39778f1283a87a
                                        • Instruction ID: 809ab7bd81bf41dcda8ad31d00c081d39cbcbf2561789955d10540485ab42ee4
                                        • Opcode Fuzzy Hash: a18f8f55b4df2a1b9c97f3295904db879a42aff67ec7273ead39778f1283a87a
                                        • Instruction Fuzzy Hash: 40210F78D10288EFDF00DFE4D898B9DBBB1BF15308F108099E001AB296DBB95A08DB41
                                        Function 002AD3F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 002AD439
                                        • d, xrefs: 002AD42D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: 9a6f0525d62296496f12bebc9e1e5e161da4f3b5822b332ecb1e94b66bda8d8f
                                        • Instruction ID: 942ece7afa1c3a92467610e3c899eb7ff233d25147abb6d3408f700e72ece648
                                        • Opcode Fuzzy Hash: 9a6f0525d62296496f12bebc9e1e5e161da4f3b5822b332ecb1e94b66bda8d8f
                                        • Instruction Fuzzy Hash: 18213338D10288EBDF05DFE0D998BCDBBB1BF15308F208059E001AB295DBB85A08CF41
                                        Function 002AD021 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • d, xrefs: 002AD05C
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 002AD065
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: ef9818f807cb6eb6d8be3961ed0bedfe12799106f3912589c44adb0620c4668c
                                        • Instruction ID: 2f73d14fd72fc4d38743a6abfeeadba8496ec3aa01274cc800b4f84a08238fc7
                                        • Opcode Fuzzy Hash: ef9818f807cb6eb6d8be3961ed0bedfe12799106f3912589c44adb0620c4668c
                                        • Instruction Fuzzy Hash: FC212F78D14288EBDF05DFE0D898BCDBBB1AF15308F108099E001AB281DBB90A08CF55
                                        Function 003012B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0030130F
                                        • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,002FFDEC,00000000,E48E37CD,?,?), ref: 00301328
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Window$Create
                                        • String ID: tooltips_class32
                                        • API String ID: 870168347-1918224756
                                        • Opcode ID: 17e20d9bad03d2b88c6d4229bd4e40a506bd7b9af447cb30aef46eb381638ca0
                                        • Instruction ID: a69c00d920786af9cb64e6df892ba0833f0feae3278a5ebc97bc40949877942c
                                        • Opcode Fuzzy Hash: 17e20d9bad03d2b88c6d4229bd4e40a506bd7b9af447cb30aef46eb381638ca0
                                        • Instruction Fuzzy Hash: F701F0313C12127AF7248664DC5AFE23298D751B44F348329BB00FA0D0D6A6EA14DA08
                                        Function 002C1391 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000013), ref: 002C13C4
                                        Strings
                                        • C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 002C13A9
                                        • Unknown exception, xrefs: 002C1399
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: Parent
                                        • String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                        • API String ID: 975332729-2259502730
                                        • Opcode ID: bec26caa9affc059701b7320d97007d424009fdc1c92ae730792c118b7b9d86c
                                        • Instruction ID: 0841877117a7f16a5c07e3ebcd668a8a8be9347bde5ded7351d6d60868b48a11
                                        • Opcode Fuzzy Hash: bec26caa9affc059701b7320d97007d424009fdc1c92ae730792c118b7b9d86c
                                        • Instruction Fuzzy Hash: 6A012134D15248EFCF05DBE4C915BDDBBB1AF55304F548098D0016B396DBB95E08DB91
                                        Function 002AD4B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 002AD4D3
                                        • Unknown exception, xrefs: 002AD4C0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                        • API String ID: 2558294473-452454139
                                        • Opcode ID: 7e0d5acedb825b21b29781f5107344404961c92b502a03135b8f8d15ad787a3f
                                        • Instruction ID: 2f796995f4701627db30d0272921472bfb15e55557fc766870d1a005bbf3bedf
                                        • Opcode Fuzzy Hash: 7e0d5acedb825b21b29781f5107344404961c92b502a03135b8f8d15ad787a3f
                                        • Instruction Fuzzy Hash: 44016D34D05288EBCF05EBE4CD15BDDBBB16F56304F248198D0016B386DBB45A08DB92
                                        Function 002AD0E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 002AD0FA
                                        • Unknown exception, xrefs: 002AD0EA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                        • API String ID: 2558294473-452454139
                                        • Opcode ID: 3c06a7ab13c42ffe2cb13ab86f80829a6f36dd641d896c3885165a63fbe29871
                                        • Instruction ID: e3522309e1cbd6e03f1edb07522428ee13ee135225cfbd87ab42d977d1aa163b
                                        • Opcode Fuzzy Hash: 3c06a7ab13c42ffe2cb13ab86f80829a6f36dd641d896c3885165a63fbe29871
                                        • Instruction Fuzzy Hash: 76018034D15288EBCF05DBE4C9147DDBBB16F56304F148099D0016B386DBB45B08DB92
                                        Function 0030BE85 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(00545968,00545C48), ref: 0030BEB6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: @\T$D\T
                                        • API String ID: 4129690577-1299419456
                                        • Opcode ID: 8af4067acd202c45857628af924fa32533fa503ba2a378c9afc484980cec56ff
                                        • Instruction ID: dff8c44b2174a6e44f9dd0ea7b50e8bc25fe660ce9b38d1922f8b2be186ea0e6
                                        • Opcode Fuzzy Hash: 8af4067acd202c45857628af924fa32533fa503ba2a378c9afc484980cec56ff
                                        • Instruction Fuzzy Hash: F1018F31A01709DBCB06CFA4D981BEEFBB0FB56319F10445AD8056B382EB715A05EBC0
                                        Function 00452DAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetOEMCP.KERNEL32(00000000,?,?,?,00000104), ref: 00452DD7
                                        • GetACP.KERNEL32(00000000,?,?,?,00000104), ref: 00452DEE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `&+
                                        • API String ID: 0-3639896150
                                        • Opcode ID: db4eaf6639b0eebf6df3ef297d8ad16896119d69160f80b7682fb657232110e4
                                        • Instruction ID: 3df5194eb33503c3140cddf9700c79a655212287101b407eb01e4bd586bbcddf
                                        • Opcode Fuzzy Hash: db4eaf6639b0eebf6df3ef297d8ad16896119d69160f80b7682fb657232110e4
                                        • Instruction Fuzzy Hash: 16F0C830400904CFDB14EB58D9497AA77B0B71233EFA4035AE825861E3DBB54C4DC789
                                        Function 0043598C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002B3650: InitializeCriticalSectionAndSpinCount.KERNEL32(00544C5C,00000000,E48E37CD,002A0000,Function_001BD840,000000FF,?,004359BB,?,?,?,002A6438), ref: 002B3675
                                          • Part of subcall function 002B3650: GetLastError.KERNEL32(?,004359BB,?,?,?,002A6438), ref: 002B367F
                                        • IsDebuggerPresent.KERNEL32(?,?,?,002A6438), ref: 004359BF
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002A6438), ref: 004359CE
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004359C9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1405822629.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002A0000, based on PE: true
                                        • Associated: 00000005.00000002.1405789535.00000000002A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406048502.000000000053E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406071003.0000000000543000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406095340.0000000000544000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000547000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a0000_2c6HNWVywp.jbxd
                                        Similarity
                                        • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 450123788-631824599
                                        • Opcode ID: 432d15e8538785d6fa9a776d11546437bd92312c5e992a6a18985925e39215f2
                                        • Instruction ID: dfd6b9c8e85e5c7bf63782afd32d1d0f849adf59d3915a57008b722ff12b0b39
                                        • Opcode Fuzzy Hash: 432d15e8538785d6fa9a776d11546437bd92312c5e992a6a18985925e39215f2
                                        • Instruction Fuzzy Hash: 5CE092B0201B10CFC3609F35E444782BBE8AF09718F118D2FE586C6781EBB8E804CBA5