Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
65X4tr6fyX.exe

Overview

General Information

Sample name:65X4tr6fyX.exe
renamed because original name is a hash value
Original sample name:737fd3383357d283d2b9d6e9e594023b44f9d3c53548ad86f6739d896dce681a.exe
Analysis ID:1560418
MD5:e74a1746e6c2d916a5b6c96913e9868b
SHA1:ebbc4fa51c44db6400ab49e42acebf103211efce
SHA256:737fd3383357d283d2b9d6e9e594023b44f9d3c53548ad86f6739d896dce681a
Tags:exeMenghuNetworkTechnologyBeijingCoLtduser-JAMESWT_MHT
Infos:

Detection

Score:8
Range:0 - 100
Whitelisted:false
Confidence:40%

Compliance

Score:47
Range:0 - 100

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • 65X4tr6fyX.exe (PID: 6008 cmdline: "C:\Users\user\Desktop\65X4tr6fyX.exe" MD5: E74A1746E6C2D916A5B6C96913E9868B)
    • msiexec.exe (PID: 5336 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\D67B221\CapCut Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\65X4tr6fyX.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732213957 " AI_EUIMSI="" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 5956 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4688 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EBEF6F46475D66D6CF3B6B5FF30932BA C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 2884 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2B5EC4E9F9B2BE78351790F405B34BD2 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

barindex
Uses 32bit PE files
Source: 65X4tr6fyX.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
PE / OLE file has a valid certificate
Source: 65X4tr6fyX.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: 65X4tr6fyX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: wininet.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmp, shi35CF.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3B20.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3B20.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: 65X4tr6fyX.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmp, shi35CF.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: 65X4tr6fyX.exe
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: 65X4tr6fyX.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BF2380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_00BF2380
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AEAB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_00AEAB80
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BD4DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00BD4DA0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BF3220 FindFirstFileW,FindClose,0_2_00BF3220
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BD5370 FindFirstFileW,GetLastError,FindClose,0_2_00BD5370
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BB8230 FindFirstFileW,FindNextFileW,FindClose,0_2_00BB8230
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFC530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00BFC530
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C108D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00C108D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFC930 FindFirstFileW,FindClose,0_2_00BFC930
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BD4A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,0_2_00BD4A10
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BDCF00 FindFirstFileW,FindClose,FindClose,0_2_00BDCF00
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BEF260 FindFirstFileW,FindClose,0_2_00BEF260
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFF8A0 FindFirstFileW,FindClose,0_2_00BFF8A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFB500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_00BFB500
Source: 65X4tr6fyX.exeString found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: 65X4tr6fyX.exe, 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmp, 65X4tr6fyX.exe, 00000000.00000000.2045610116.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: shi35CF.tmp.0.drString found in binary or memory: http://.css
Source: shi35CF.tmp.0.drString found in binary or memory: http://.jpg
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi35CF.tmp.0.drString found in binary or memory: http://html4/loose.dtd
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://t2.symcb.com0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://tl.symcd.com0&
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: https://www.advancedinstaller.com
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: https://www.thawte.com/cps0/
Source: 65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C12390 NtdllDefWindowProc_W,0_2_00C12390
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B92620 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W,0_2_00B92620
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B30110 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00B30110
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B78100 NtdllDefWindowProc_W,0_2_00B78100
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AE2330 NtdllDefWindowProc_W,0_2_00AE2330
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AEC750 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_00AEC750
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AE8840 NtdllDefWindowProc_W,0_2_00AE8840
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AE89B0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00AE89B0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00ADEBF0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_00ADEBF0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B30C9E GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00B30C9E
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B30C28 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00B30C28
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B30D5D GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00B30D5D
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B26FA0 NtdllDefWindowProc_W,0_2_00B26FA0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00ADF1A0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,0_2_00ADF1A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00ADF7D0 NtdllDefWindowProc_W,0_2_00ADF7D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AFD760 NtdllDefWindowProc_W,0_2_00AFD760
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AE1740 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_00AE1740
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AF18D0 NtdllDefWindowProc_W,0_2_00AF18D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AE1D70 NtdllDefWindowProc_W,0_2_00AE1D70
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5a3979.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3AB1.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B20.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B6F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B9F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI3AB1.tmpJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_0120A2720_3_0120A272
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_0120A2720_3_0120A272
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_0120A2980_3_0120A298
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_0120A2980_3_0120A298
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_0120A2720_3_0120A272
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_0120A2720_3_0120A272
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_0120A2980_3_0120A298
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_0120A2980_3_0120A298
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C0C1200_2_00C0C120
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BAC1500_2_00BAC150
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AEAB800_2_00AEAB80
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BE8C400_2_00BE8C40
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C115C00_2_00C115C0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AF62B00_2_00AF62B0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AF44A00_2_00AF44A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AEE5400_2_00AEE540
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C767E00_2_00C767E0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C848010_2_00C84801
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AE8DF00_2_00AE8DF0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C7EF3A0_2_00C7EF3A
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AD30100_2_00AD3010
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BB34600_2_00BB3460
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B056800_2_00B05680
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C6F7DC0_2_00C6F7DC
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AF38900_2_00AF3890
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C819A00_2_00C819A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AF79D00_2_00AF79D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B2FAD00_2_00B2FAD0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C89D650_2_00C89D65
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AD3E250_2_00AD3E25
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: String function: 00B03BA0 appears 90 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: String function: 00AD87D0 appears 404 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: String function: 00AD70D0 appears 36 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: String function: 00AD7160 appears 52 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: String function: 00BCF720 appears 61 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: String function: 00AD9120 appears 38 times
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: String function: 00AD9990 appears 60 times
Source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameInstaller.exe4 vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exeBinary or memory string: OriginalFileNameInstaller.exe4 vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exeBinary or memory string: OriginalFilenameDecoder.dllF vs 65X4tr6fyX.exe
Source: 65X4tr6fyX.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi35CF.tmp.0.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engineClassification label: clean8.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BD3200 FormatMessageW,GetLastError,0_2_00BD3200
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFDAE0 GetDiskFreeSpaceExW,0_2_00BFDAE0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C17B10 CoCreateInstance,0_2_00C17B10
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B6AD00 FindResourceW,LoadResource,LockResource,SizeofResource,0_2_00B6AD00
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile created: C:\Users\user\AppData\Roaming\FineViews Official CommunityJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile created: C:\Users\user\AppData\Local\Temp\shi35CF.tmpJump to behavior
Source: 65X4tr6fyX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile read: C:\Users\user\Desktop\65X4tr6fyX.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\65X4tr6fyX.exe "C:\Users\user\Desktop\65X4tr6fyX.exe"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EBEF6F46475D66D6CF3B6B5FF30932BA C
Source: C:\Users\user\Desktop\65X4tr6fyX.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\D67B221\CapCut Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\65X4tr6fyX.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732213957 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2B5EC4E9F9B2BE78351790F405B34BD2
Source: C:\Users\user\Desktop\65X4tr6fyX.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\D67B221\CapCut Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\65X4tr6fyX.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732213957 " AI_EUIMSI=""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EBEF6F46475D66D6CF3B6B5FF30932BA CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2B5EC4E9F9B2BE78351790F405B34BD2Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: lpk.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 65X4tr6fyX.exeStatic PE information: certificate valid
Source: 65X4tr6fyX.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 65X4tr6fyX.exeStatic file information: File size 49006072 > 1048576
Source: 65X4tr6fyX.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x217a00
Source: 65X4tr6fyX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 65X4tr6fyX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 65X4tr6fyX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 65X4tr6fyX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 65X4tr6fyX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 65X4tr6fyX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 65X4tr6fyX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 65X4tr6fyX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmp, shi35CF.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3B20.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3B20.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: 65X4tr6fyX.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: 65X4tr6fyX.exe, 00000000.00000003.2093412591.0000000005675000.00000004.00000020.00020000.00000000.sdmp, shi35CF.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: 65X4tr6fyX.exe
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: 65X4tr6fyX.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 5a3979.msi.2.dr, CapCut Installer.msi.0.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr
Source: 65X4tr6fyX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 65X4tr6fyX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 65X4tr6fyX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 65X4tr6fyX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 65X4tr6fyX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: shi35CF.tmp.0.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C10560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C10560
Source: shi35CF.tmp.0.drStatic PE information: section name: .wpp_sf
Source: shi35CF.tmp.0.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_011FC1E2 push eax; ret 0_3_011FC299
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01247903 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01247903 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01246865 push es; retf 0_3_012468B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01246865 push es; retf 0_3_012468B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01248167 push es; retf 0_3_012481A2
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01248167 push es; retf 0_3_012481A2
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01247A41 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01247A41 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01246F94 push es; retf 0_3_01246FDA
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01246F94 push es; retf 0_3_01246FDA
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01247903 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01247903 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01246F94 push es; retf 0_3_01246FDA
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01246F94 push es; retf 0_3_01246FDA
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01246865 push es; retf 0_3_012468B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01246865 push es; retf 0_3_012468B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01248167 push es; retf 0_3_012481A2
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01248167 push es; retf 0_3_012481A2
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01247A41 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_01247A41 push es; retf 0_3_01247A44
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_3_011FC1E2 push eax; ret 0_3_011FC299
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B760EB push ecx; mov dword ptr [esp], 3F800000h0_2_00B762BE
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C6771E push ecx; ret 0_2_00C67731
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AE5CB0 push ecx; mov dword ptr [esp], ecx0_2_00AE5CB1
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BB3D60 push ecx; mov dword ptr [esp], 3F800000h0_2_00BB3E96
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3AB1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B20.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile created: C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\decoder.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B6F.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile created: C:\Users\user\AppData\Local\Temp\shi35CF.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile created: C:\Users\user\AppData\Local\Temp\MSI3766.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile created: C:\Users\user\AppData\Local\Temp\MSI3842.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B9F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3AB1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B20.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B6F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B9F.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3AB1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3B20.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\decoder.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3B6F.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi35CF.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3766.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3842.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3B9F.tmpJump to dropped file
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-65386
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile Volume queried: C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile Volume queried: C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\D67B221 FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BF2380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_00BF2380
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00AEAB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_00AEAB80
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BD4DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00BD4DA0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BF3220 FindFirstFileW,FindClose,0_2_00BF3220
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BD5370 FindFirstFileW,GetLastError,FindClose,0_2_00BD5370
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BB8230 FindFirstFileW,FindNextFileW,FindClose,0_2_00BB8230
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFC530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00BFC530
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C108D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00C108D0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFC930 FindFirstFileW,FindClose,0_2_00BFC930
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BD4A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,0_2_00BD4A10
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BDCF00 FindFirstFileW,FindClose,FindClose,0_2_00BDCF00
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BEF260 FindFirstFileW,FindClose,0_2_00BEF260
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFF8A0 FindFirstFileW,FindClose,0_2_00BFF8A0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFB500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_00BFB500
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C6411D VirtualQuery,GetSystemInfo,0_2_00C6411D
Source: MSI3B9F.tmp.2.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C66437 IsDebuggerPresent,OutputDebugStringW,0_2_00C66437
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C10560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C10560
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C6674C mov esi, dword ptr fs:[00000030h]0_2_00C6674C
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C88A0E mov eax, dword ptr fs:[00000030h]0_2_00C88A0E
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C7D840 mov ecx, dword ptr fs:[00000030h]0_2_00C7D840
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C667B8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_00C667B8
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00B02530 __set_se_translator,SetUnhandledExceptionFilter,0_2_00B02530
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C671E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00C671E8
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C6BEA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C6BEA3
Source: C:\Users\user\Desktop\65X4tr6fyX.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\fineviews official community\installer 1.0.0\install\d67b221\capcut installer.msi" ai_setupexepath=c:\users\user\desktop\65x4tr6fyx.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1732213957 " ai_euimsi=""
Source: C:\Users\user\Desktop\65X4tr6fyX.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\fineviews official community\installer 1.0.0\install\d67b221\capcut installer.msi" ai_setupexepath=c:\users\user\desktop\65x4tr6fyx.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1732213957 " ai_euimsi=""Jump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00BFFD20 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_00BFFD20
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx,0_2_00BF4F10
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: EnumSystemLocalesW,0_2_00C80DD9
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00C84D50
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: EnumSystemLocalesW,0_2_00C84FF2
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: GetLocaleInfoW,0_2_00C84F4B
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: EnumSystemLocalesW,0_2_00C850D8
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: EnumSystemLocalesW,0_2_00C8503D
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00C85163
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: GetLocaleInfoW,0_2_00C853B6
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: GetLocaleInfoW,0_2_00C81356
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00C854DF
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: GetLocaleInfoW,0_2_00C855E5
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00C856B4
Source: C:\Users\user\Desktop\65X4tr6fyX.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C0C8F0 CreateNamedPipeW,CreateFileW,0_2_00C0C8F0
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C663AD GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_00C663AD
Source: C:\Users\user\Desktop\65X4tr6fyX.exeCode function: 0_2_00C0B490 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,0_2_00C0B490

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Peripheral Device Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Account Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets1
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials3
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync25
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1560418 Sample: 65X4tr6fyX.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 8 5 msiexec.exe 3 9 2->5         started        8 65X4tr6fyX.exe 40 2->8         started        file3 16 C:\Windows\Installer\MSI3B9F.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSI3B6F.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSI3B20.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSI3AB1.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shi35CF.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSI3842.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSI3766.tmp, PE32 8->30 dropped 14 msiexec.exe 5 8->14         started        process4

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
65X4tr6fyX.exe5%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSI3766.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI3842.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\shi35CF.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\decoder.dll0%ReversingLabs
C:\Windows\Installer\MSI3AB1.tmp0%ReversingLabs
C:\Windows\Installer\MSI3B20.tmp0%ReversingLabs
C:\Windows\Installer\MSI3B6F.tmp0%ReversingLabs
C:\Windows\Installer\MSI3B9F.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://html4/loose.dtdshi35CF.tmp.0.drfalse
    		high
    https://www.advancedinstaller.com65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drfalse
      		high
      https://www.thawte.com/cps0/65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drfalse
        		high
        http://.cssshi35CF.tmp.0.drfalse
          		high
          http://.jpgshi35CF.tmp.0.drfalse
            		high
            https://www.thawte.com/repository0W65X4tr6fyX.exe, 00000000.00000003.2177129106.00000000063D1000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2183096782.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2177184809.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.0000000004054000.00000004.00000020.00020000.00000000.sdmp, 65X4tr6fyX.exe, 00000000.00000003.2087524901.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, MSI3B6F.tmp.2.dr, 5a3979.msi.2.dr, MSI3766.tmp.0.dr, CapCut Installer.msi.0.dr, MSI3AB1.tmp.2.dr, MSI3842.tmp.0.dr, MSI3B9F.tmp.2.dr, MSI3B20.tmp.2.drfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1560418
              Start date and time:2024-11-21 19:35:10 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 45s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:65X4tr6fyX.exe
              renamed because original name is a hash value
              Original Sample Name:737fd3383357d283d2b9d6e9e594023b44f9d3c53548ad86f6739d896dce681a.exe
              Detection:CLEAN
              Classification:clean8.winEXE@8/13@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 57%
              • Number of executed functions: 73
              • Number of non-executed functions: 189
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: 65X4tr6fyX.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\AppData\Local\Temp\MSI3766.tmpQuickBooks_Installer.msiGet hashmaliciousUnknownBrowse
                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                  0n25lfPJxD.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse
                    SecuriteInfo.com.BackDoor.Siggen2.4873.19832.17135.msiGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.BackDoor.Siggen2.4873.19471.19549.msiGet hashmaliciousUnknownBrowse
                        zoQOIWTCDJ.msiGet hashmaliciousUnknownBrowse
                          EjhVO5YaYI.msiGet hashmaliciousUnknownBrowse
                            QuickBooks JAWANI.msiGet hashmaliciousUnknownBrowse
                              QuickBooks Setup.msiGet hashmaliciousUnknownBrowse
                                QuickBooks Setup.msi.zipGet hashmaliciousUnknownBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\MSI3766.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\65X4tr6fyX.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:6144:3SGhsSlnJc5xR+yGjNUaPkp8u84XLyJ+8zLCAONOmXNfnZRAF3U+Hj1:3SGXc5Seas8uDELCeGNPZh+Hj1
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Joe Sandbox View:
                                  • Filename: QuickBooks_Installer.msi, Detection: malicious, Browse
                                  • Filename: file.exe, Detection: malicious, Browse
                                  • Filename: 0n25lfPJxD.exe, Detection: malicious, Browse
                                  • Filename: SecuriteInfo.com.BackDoor.Siggen2.4873.19832.17135.msi, Detection: malicious, Browse
                                  • Filename: SecuriteInfo.com.BackDoor.Siggen2.4873.19471.19549.msi, Detection: malicious, Browse
                                  • Filename: zoQOIWTCDJ.msi, Detection: malicious, Browse
                                  • Filename: EjhVO5YaYI.msi, Detection: malicious, Browse
                                  • Filename: QuickBooks JAWANI.msi, Detection: malicious, Browse
                                  • Filename: QuickBooks Setup.msi, Detection: malicious, Browse
                                  • Filename: QuickBooks Setup.msi.zip, Detection: malicious, Browse
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\MSI3842.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\65X4tr6fyX.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):934880
                                  Entropy (8bit):6.463468533833365
                                  Encrypted:false
                                  SSDEEP:24576:FmCzCf7c4yQ8xtgIZROly4aNXVW+hv+Ahi:8Rc4yQ8xtoly4aNXVW+hv+Ahi
                                  MD5:B15DBF4B35CD1460BA283795E24878C8
                                  SHA1:327812BE4BFDCE7A87CB00FAB432ECC0D8C38C1E
                                  SHA-256:0AC07DB6140408E9586D46727EB32AF8F8048CAD535ECA9052B6EF1149E63147
                                  SHA-512:95EDC60C9658E0E8631604459969A406414902F297B7A14F2BE6D3BC18878636167D202530D4EE3B4D7AF189A9139A2183929250920196C48C08EDA3D6DFDCA4
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:bu.[.&.[.&.[.&7).'.[.&7).'Q[.&.#.'.[.&.#.'.[.&.#.'.[.&7).'.[.&7).'.[.&.[.&.Z.&d".'.[.&d".'.[.&d".&.[.&.[.&.[.&d".'.[.&Rich.[.&................PE..L....8b.........."!................ ........................................p......$.....@.........................0|..t....|.......`...............*.......p.......,..p...................@-.......+..@............................................text............................... ..`.rdata..T...........................@..@.data...T............x..............@....rsrc........`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\MSIa3bca.LOG

                                  Download File
                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):276
                                  Entropy (8bit):3.3973147444136718
                                  Encrypted:false
                                  SSDEEP:6:QsKRYr2qtOYrsfc/okjxaaOEqQbr62avKpnKBlv2K8hlvR4:QBG2qLsc/7aFEVbr62aInKS4
                                  MD5:9E80F03B239E8AEE75B683B0033E8414
                                  SHA1:C7A977213C2C197BBEB8D276253BE734CE3C7157
                                  SHA-256:542B016C3EAEF25CDEEBA742C14E21DECB375F602290FE54213C9B0655F698FB
                                  SHA-512:061CBC14907D61939A8AECEB7E753BD53E8E617C76286D0D3B50CF2028423CA74EA0115BFAA7770D96F84D58BDEA5A285543464FE1AA943452104748F4ABCC8A
                                  Malicious:false
                                  Reputation:low
                                  Preview:..I.n.s.t.a.l.l.e.r. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .s.y.s.t.e.m.s. .w.i.t.h. .s.c.r.e.e.n. .r.e.s.o.l.u.t.i.o.n. .s.m.a.l.l.e.r. .t.h.a.n. .1.3.6.0. .x. .7.6.8.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.1./.1.1./.2.0.2.4. . .1.3.:.3.6.:.1.4. .=.=.=.....

                                  C:\Users\user\AppData\Local\Temp\shi35CF.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\65X4tr6fyX.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):5038592
                                  Entropy (8bit):6.043058205786219
                                  Encrypted:false
                                  SSDEEP:49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
                                  MD5:11F7419009AF2874C4B0E4505D185D79
                                  SHA1:451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
                                  SHA-256:AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
                                  SHA-512:1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L*......N*.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\D67B221\CapCut Installer.msi

                                  Download File
                                  Process:C:\Users\user\Desktop\65X4tr6fyX.exe
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {474A16A5-B56D-420F-B554-828A20264299}, Number of Words: 0, Subject: Installer, Author: FineViews Official Community, Name of Creating Application: Installer, Template: ;1033, Comments: This installer database contains the logic and data required to install Installer., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                  Category:dropped
                                  Size (bytes):2493440
                                  Entropy (8bit):6.592655857107791
                                  Encrypted:false
                                  SSDEEP:49152:ghWYB67SAZhAjMApRc4yQ8xtoly4aNXVW+hv+AhiAHovZ2V9SH+0JD0N:vYBsVAEtoOo
                                  MD5:8B406D433CA4F4FFD361EE6D6E4F3F78
                                  SHA1:62C3FE78D3F15908C89C0DA8146AACB0DA6048B7
                                  SHA-256:6EEA0DCC570CCD5C65069956FAF8DA5A17162513739ABB0A4B8CD000455DE5AC
                                  SHA-512:5C37AD6C80348EB29CC221FA0929C72A6096A15698701E76057085FF65532BE4090F243957779835C54C51E00F6C7ED932840D518C1A4FC5ED00D590C5241919
                                  Malicious:false
                                  Preview:......................>...................'...................................N.......{.......4...5...6...7...8...9...:...;..."...#...$...%...&...'...(...)...*...+...,...-......./...R...S...T...U...V...W...X...Y...Z...[...............................................................................................................................................................................................................................................................................................................h...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...G...>...?...@...A...B...C...8...E...F...P...H...I...J...K...L...M...E.......P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                  C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\decoder.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\65X4tr6fyX.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):211456
                                  Entropy (8bit):6.450220092257771
                                  Encrypted:false
                                  SSDEEP:3072:iltFwoJxZQ4fK70l5DqKtRnBBjGd4uM4h0lntiEnc2xMe4fyyERt:iaU87+3nHy6n0NF5ERt
                                  MD5:899944FB96CCC34CFBD2CCB9134367C5
                                  SHA1:7C46AA3F84BA5DA95CEFF39CD49185672F963538
                                  SHA-256:780D10EDA2B9A0A10BF844A7C8B6B350AA541C5BBD24022FF34F99201F9E9259
                                  SHA-512:2C41181F9AF540B4637F418FC148D41D7C38202FB691B56650085FE5A9BDBA068275FF07E002E1044760754876C62D7B4FC856452AF80A02C5F5A9A7DC75B5E0
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+(..oI..oI..oI..;..eI..;...I...1..JI...1...I...1..yI..;..zI..;..hI..oI...I...0..3I...0..nI...0..nI..oIe.nI...0..nI..RichoI..................PE..L.....8b.........."!.....f................................................................@.................................\...<....... .......................@ ......p...............................@...............t............................text....d.......f.................. ..`.rdata...............j..............@..@.data...dV... ......................@....rsrc... ...........................@..@.reloc..@ ......."..................@..B........................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\holder0.aiph

                                  Download File
                                  Process:C:\Users\user\Desktop\65X4tr6fyX.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):162147063
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:B913D5FAF5FC8414AE4F3E4DAF5B9C1F
                                  SHA1:F373DB4BB91DB8E556B5A5E75B29E0CC33A78DCA
                                  SHA-256:283B35D9A9DE5873D3159A3E584939D33160A1486A846CB9F49FF6509F065A6E
                                  SHA-512:7513E28727F1944640ECD71355AFEF89CF4ACBD8D452EDC201288247A7771C015DCEF9CD2FF7D882DF86D279FC22338F02D38F6394065231837D723FCDBB24BE
                                  Malicious:false
                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\5a3979.msi

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {474A16A5-B56D-420F-B554-828A20264299}, Number of Words: 0, Subject: Installer, Author: FineViews Official Community, Name of Creating Application: Installer, Template: ;1033, Comments: This installer database contains the logic and data required to install Installer., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                  Category:dropped
                                  Size (bytes):2493440
                                  Entropy (8bit):6.592655857107791
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:8B406D433CA4F4FFD361EE6D6E4F3F78
                                  SHA1:62C3FE78D3F15908C89C0DA8146AACB0DA6048B7
                                  SHA-256:6EEA0DCC570CCD5C65069956FAF8DA5A17162513739ABB0A4B8CD000455DE5AC
                                  SHA-512:5C37AD6C80348EB29CC221FA0929C72A6096A15698701E76057085FF65532BE4090F243957779835C54C51E00F6C7ED932840D518C1A4FC5ED00D590C5241919
                                  Malicious:false
                                  Preview:......................>...................'...................................N.......{.......4...5...6...7...8...9...:...;..."...#...$...%...&...'...(...)...*...+...,...-......./...R...S...T...U...V...W...X...Y...Z...[...............................................................................................................................................................................................................................................................................................................h...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...G...>...?...@...A...B...C...8...E...F...P...H...I...J...K...L...M...E.......P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                  C:\Windows\Installer\MSI3AB1.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSI3B20.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSI3B6F.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSI3B9F.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:modified
                                  Size (bytes):934880
                                  Entropy (8bit):6.463468533833365
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:B15DBF4B35CD1460BA283795E24878C8
                                  SHA1:327812BE4BFDCE7A87CB00FAB432ECC0D8C38C1E
                                  SHA-256:0AC07DB6140408E9586D46727EB32AF8F8048CAD535ECA9052B6EF1149E63147
                                  SHA-512:95EDC60C9658E0E8631604459969A406414902F297B7A14F2BE6D3BC18878636167D202530D4EE3B4D7AF189A9139A2183929250920196C48C08EDA3D6DFDCA4
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:bu.[.&.[.&.[.&7).'.[.&7).'Q[.&.#.'.[.&.#.'.[.&.#.'.[.&7).'.[.&7).'.[.&.[.&.Z.&d".'.[.&d".'.[.&d".&.[.&.[.&.[.&d".'.[.&Rich.[.&................PE..L....8b.........."!................ ........................................p......$.....@.........................0|..t....|.......`...............*.......p.......,..p...................@-.......+..@............................................text............................... ..`.rdata..T...........................@..@.data...T............x..............@....rsrc........`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................................................................

                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):364484
                                  Entropy (8bit):5.365504528731528
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:F753D6C31A72A0C868BC25BE6AFB2797
                                  SHA1:2ADB24555A6BC1997A5CDB275447C0610DAC9549
                                  SHA-256:603D61A12A721BDFE85B4B6E98E561880505B636252C43D26774D30F1328215D
                                  SHA-512:3BC25A4184D48287883D7D0306EBE34726A7BF5CBF0BEB1408C9EC9C8E44686D1C09CBF7F403CB8E004FF878626DEA7EC79752D831AE09352E3CD68EBF71C589
                                  Malicious:false
                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.976853021454737
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:65X4tr6fyX.exe
                                  File size:49'006'072 bytes
                                  MD5:e74a1746e6c2d916a5b6c96913e9868b
                                  SHA1:ebbc4fa51c44db6400ab49e42acebf103211efce
                                  SHA256:737fd3383357d283d2b9d6e9e594023b44f9d3c53548ad86f6739d896dce681a
                                  SHA512:9b5d8c77b68debd12a1190eff8ddba72bb48eb555e715bb09039ad30a1555bfdb1e8173561e183f6a716b728500b4a8713b988fe467ac399ac7c94eca3411206
                                  SSDEEP:786432:btv43g5uWopZbOhNtGSEwfdPEWNIh7DU6y+cayxUEkzlAS3l8k:R438u3Zb0Nr9fKWNIBU6OU5zlACB
                                  TLSH:A9B723203759C52BCAE705B0692C869F55296E610B7E58C7F3DC3D2E16F78C21632E2B
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.....t...t...t...w.#.t...q...t...r./.t.L.p.=.t.L.w.6.t.L.q.M.t...p.4.t...u.-.t...s./.t...u...t...}.c.t...../.t...../.t...v./.t

                                  File Icon

                                  Icon Hash:29509271b2964c23

                                  Static PE Info

                                  General

                                  Entrypoint:0x597714
                                  Entrypoint Section:.text
                                  Digitally signed:true
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6238823F [Mon Mar 21 13:48:47 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:836688c7d21e39394af41ce9a8c2d728

                                  Authenticode Signature

                                  Signature Valid:true
                                  Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                  Signature Validation Error:The operation completed successfully
                                  Error Number:0
                                  Not Before, Not After
                                  • 23/09/2024 07:43:44 23/09/2025 07:43:43
                                  Subject Chain
                                  • CN="Menghu Network Technology (Beijing) Co., Ltd.", O="Menghu Network Technology (Beijing) Co., Ltd.", L=Beijing, S=Beijing, C=CN, SERIALNUMBER=91110229MA01R14F61, OID.1.3.6.1.4.1.311.60.2.1.1=Beijing, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
                                  Version:3
                                  Thumbprint MD5:546BC403BAF99A4D201101D290537E78
                                  Thumbprint SHA-1:17C88198B4F3343FDDFC002BC94BD9098EC39FB2
                                  Thumbprint SHA-256:F9B5B8803D20DFB0B48BD3ADEC1305EC291D4B9202798FB9C029BB5EC49C598A
                                  Serial:42BC236A8370D6E230B726E0D4FB16C6

                                  Entrypoint Preview

                                  Instruction
                                  call 00007FF8D07D429Fh
                                  jmp 00007FF8D07D3ADFh
                                  mov ecx, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], ecx
                                  pop ecx
                                  pop edi
                                  pop edi
                                  pop esi
                                  pop ebx
                                  mov esp, ebp
                                  pop ebp
                                  push ecx
                                  ret
                                  mov ecx, dword ptr [ebp-10h]
                                  xor ecx, ebp
                                  call 00007FF8D07D3133h
                                  jmp 00007FF8D07D3C42h
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [0069F01Ch]
                                  xor eax, ebp
                                  push eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax
                                  ret
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [0069F01Ch]
                                  xor eax, ebp
                                  push eax
                                  mov dword ptr [ebp-10h], eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax
                                  ret
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [0069F01Ch]
                                  xor eax, ebp
                                  push eax
                                  mov dword ptr [ebp-10h], esp
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x29de240x28.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a80000x3aafc.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x2eb9cf00x2908
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e30000x257cc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2478480x70.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x2478c00x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21af380x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x2190000x2c0.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x29b2180x260.rdata
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x21791f0x217a00c49c101070a1945156e31ccb8b4c699funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x2190000x85e1c0x860000bc20f46e2242997255f9f9e7ecca899False0.31188236065764924data4.604766709480219IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x29f0000x89f00x6a00718c6ac2ba6bcb374d818e1d67c3a166False0.1418410966981132DOS executable (block device driver \340kY)2.877738466626911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x2a80000x3aafc0x3ac00d3bde33e33a6a27121f030c0d4223667False0.1197265625data4.896445719636213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x2e30000x257cc0x25800341590d742eebeddce717893413cf78eFalse0.44703125data6.513825531591639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  IMAGE_FILE0x2a8c200x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                  IMAGE_FILE0x2a8c280x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                  RTF_FILE0x2a8c300x2e9Rich Text Format data, version 1, ANSI, code page 1252EnglishUnited States0.5503355704697986
                                  RTF_FILE0x2a8f1c0xa1Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033EnglishUnited States0.906832298136646
                                  RT_BITMAP0x2a8fc00x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                  RT_BITMAP0x2a91000x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                  RT_BITMAP0x2a99280x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                  RT_BITMAP0x2ae1d00xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                  RT_BITMAP0x2aec3c0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                  RT_BITMAP0x2aed900x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                  RT_ICON0x2af5b80x147bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9656685103948122
                                  RT_ICON0x2b0a340x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/mEnglishUnited States0.030595646516029813
                                  RT_ICON0x2c125c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/mEnglishUnited States0.05207841284837034
                                  RT_ICON0x2c54840x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/mEnglishUnited States0.07022821576763486
                                  RT_ICON0x2c7a2c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/mEnglishUnited States0.10201688555347092
                                  RT_ICON0x2c8ad40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/mEnglishUnited States0.20833333333333334
                                  RT_MENU0x2c8f3c0x5cdataEnglishUnited States0.8478260869565217
                                  RT_MENU0x2c8f980x2adataEnglishUnited States1.0714285714285714
                                  RT_DIALOG0x2c8fc40xacdataEnglishUnited States0.7151162790697675
                                  RT_DIALOG0x2c90700x2a6dataEnglishUnited States0.5132743362831859
                                  RT_DIALOG0x2c93180x3b4dataEnglishUnited States0.43248945147679324
                                  RT_DIALOG0x2c96cc0xbcdataEnglishUnited States0.7180851063829787
                                  RT_DIALOG0x2c97880x204dataEnglishUnited States0.560077519379845
                                  RT_DIALOG0x2c998c0x282dataEnglishUnited States0.48598130841121495
                                  RT_DIALOG0x2c9c100xccdataEnglishUnited States0.6911764705882353
                                  RT_DIALOG0x2c9cdc0x146dataEnglishUnited States0.5736196319018405
                                  RT_DIALOG0x2c9e240x226dataEnglishUnited States0.4690909090909091
                                  RT_DIALOG0x2ca04c0x388dataEnglishUnited States0.45464601769911506
                                  RT_DIALOG0x2ca3d40x1b4dataEnglishUnited States0.5458715596330275
                                  RT_DIALOG0x2ca5880x136dataEnglishUnited States0.6064516129032258
                                  RT_DIALOG0x2ca6c00x4cdataEnglishUnited States0.8289473684210527
                                  RT_STRING0x2ca70c0x45cdataEnglishUnited States0.3844086021505376
                                  RT_STRING0x2cab680x344dataEnglishUnited States0.37320574162679426
                                  RT_STRING0x2caeac0x2f8dataEnglishUnited States0.4039473684210526
                                  RT_STRING0x2cb1a40x598dataEnglishUnited States0.2807262569832402
                                  RT_STRING0x2cb73c0x3aaStarOffice Gallery theme i, 1627418368 objects, 1st nEnglishUnited States0.4211087420042644
                                  RT_STRING0x2cbae80x5c0dataEnglishUnited States0.3498641304347826
                                  RT_STRING0x2cc0a80x568dataEnglishUnited States0.32875722543352603
                                  RT_STRING0x2cc6100x164dataEnglishUnited States0.5421348314606742
                                  RT_STRING0x2cc7740x520dataEnglishUnited States0.39176829268292684
                                  RT_STRING0x2ccc940x1a0dataEnglishUnited States0.45913461538461536
                                  RT_STRING0x2cce340x18adataEnglishUnited States0.5228426395939086
                                  RT_STRING0x2ccfc00x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                  RT_STRING0x2cd1d80x624dataEnglishUnited States0.3575063613231552
                                  RT_STRING0x2cd7fc0x660dataEnglishUnited States0.3474264705882353
                                  RT_STRING0x2cde5c0x2e2dataEnglishUnited States0.4037940379403794
                                  RT_GROUP_ICON0x2ce1400x5adataEnglishUnited States0.7666666666666667
                                  RT_VERSION0x2ce19c0x314dataEnglishUnited States0.434010152284264
                                  RT_HTML0x2ce4b00x37c8ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08291316526610644
                                  RT_HTML0x2d1c780x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                  RT_HTML0x2d2f900x4faHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3626373626373626
                                  RT_HTML0x2d348c0x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                  RT_HTML0x2d9f5c0x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                  RT_HTML0x2da6000x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                  RT_HTML0x2db64c0x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                  RT_HTML0x2dcc000x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                  RT_HTML0x2dec5c0x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                  RT_MANIFEST0x2e22ec0x80fXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.40814348036839554

                                  Imports

                                  DLLImport
                                  KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, CreateThread, WaitForSingleObject, GetProcAddress, LoadLibraryExW, Sleep, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FormatMessageW, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  No network behavior found

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:13:36:01
                                  Start date:21/11/2024
                                  Path:C:\Users\user\Desktop\65X4tr6fyX.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\65X4tr6fyX.exe"
                                  Imagebase:0xad0000
                                  File size:49'006'072 bytes
                                  MD5 hash:E74A1746E6C2D916A5B6C96913E9868B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:13:36:05
                                  Start date:21/11/2024
                                  Path:C:\Windows\System32\msiexec.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                  Imagebase:0x7ff6ad5a0000
                                  File size:69'632 bytes
                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:13:36:06
                                  Start date:21/11/2024
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding EBEF6F46475D66D6CF3B6B5FF30932BA C
                                  Imagebase:0x250000
                                  File size:59'904 bytes
                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:13:36:07
                                  Start date:21/11/2024
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FineViews Official Community\Installer 1.0.0\install\D67B221\CapCut Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\65X4tr6fyX.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732213957 " AI_EUIMSI=""
                                  Imagebase:0x250000
                                  File size:59'904 bytes
                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:13:36:07
                                  Start date:21/11/2024
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 2B5EC4E9F9B2BE78351790F405B34BD2
                                  Imagebase:0x250000
                                  File size:59'904 bytes
                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:24.1%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:76
                                    execution_graph 64777 b02530 64778 b02543 std::ios_base::_Ios_base_dtor 64777->64778 64783 c68723 64778->64783 64781 b02559 SetUnhandledExceptionFilter 64782 b0256b 64781->64782 64788 c6875b 64783->64788 64785 c6872c 64786 c6875b __set_se_translator 51 API calls 64785->64786 64787 b0254d 64786->64787 64787->64781 64787->64782 64802 c68769 23 API calls 4 library calls 64788->64802 64790 c68760 64791 c68768 64790->64791 64803 c80417 EnterCriticalSection std::locale::_Setgloballocale 64790->64803 64791->64785 64793 c70fa6 64794 c70fb1 64793->64794 64804 c8045c 40 API calls 5 library calls 64793->64804 64795 c70fda 64794->64795 64796 c70fbb IsProcessorFeaturePresent 64794->64796 64806 c7d911 64795->64806 64798 c70fc7 64796->64798 64805 c6bea3 8 API calls 2 library calls 64798->64805 64802->64790 64803->64793 64804->64794 64805->64795 64809 c7d735 64806->64809 64810 c7d774 64809->64810 64811 c7d762 64809->64811 64821 c7d5de 64810->64821 64834 c7d7fd GetModuleHandleW 64811->64834 64814 c7d7ab 64816 c70fe4 64814->64816 64827 c7d7cc 64814->64827 64815 c7d767 64815->64810 64835 c7d862 GetModuleHandleExW 64815->64835 64816->64785 64822 c7d5ea std::locale::_Setgloballocale 64821->64822 64841 c7ba2a EnterCriticalSection 64822->64841 64824 c7d5f4 64842 c7d64a 64824->64842 64826 c7d601 std::locale::_Setgloballocale 64826->64814 64867 c7d840 64827->64867 64830 c7d7ea 64832 c7d862 std::locale::_Setgloballocale 3 API calls 64830->64832 64831 c7d7da GetCurrentProcess TerminateProcess 64831->64830 64833 c7d7f2 ExitProcess 64832->64833 64834->64815 64836 c7d8c2 64835->64836 64837 c7d8a1 GetProcAddress 64835->64837 64838 c7d773 64836->64838 64839 c7d8c8 FreeLibrary 64836->64839 64837->64836 64840 c7d8b5 64837->64840 64838->64810 64839->64838 64840->64836 64841->64824 64843 c7d656 std::locale::_Setgloballocale 64842->64843 64844 c7d6bd std::locale::_Setgloballocale 64843->64844 64846 c7e21c 64843->64846 64844->64826 64847 c7e228 __EH_prolog3 64846->64847 64850 c7df74 64847->64850 64849 c7e24f std::locale::_Init 64849->64844 64851 c7df80 std::locale::_Setgloballocale 64850->64851 64856 c7ba2a EnterCriticalSection 64851->64856 64853 c7df8e 64857 c7e12c 64853->64857 64855 c7df9b std::locale::_Setgloballocale 64855->64849 64856->64853 64858 c7e143 64857->64858 64859 c7e14b 64857->64859 64858->64855 64859->64858 64861 c7edad 64859->64861 64862 c7edb8 RtlFreeHeap 64861->64862 64866 c7ede2 64861->64866 64863 c7edcd GetLastError 64862->64863 64862->64866 64864 c7edda ___free_lconv_mon 64863->64864 64865 c6c1bf __Getctype 11 API calls 64864->64865 64865->64866 64866->64858 64872 c88a0e 6 API calls std::locale::_Setgloballocale 64867->64872 64869 c7d845 64870 c7d7d6 64869->64870 64871 c7d84a GetPEB 64869->64871 64870->64830 64870->64831 64871->64870 64872->64869 64873 c11d20 64882 c11990 64873->64882 64876 c11d7a 64879 c11d91 GetFileVersionInfoW 64876->64879 64881 c11d8a 64876->64881 64877 c11dde GetLastError 64877->64881 64878 c11df0 DeleteFileW 64880 c11df7 64878->64880 64879->64877 64879->64881 64881->64878 64881->64880 64897 bd39a0 64882->64897 64885 c119d5 SHGetFolderPathW 64886 c119f3 std::locale::_Setgloballocale 64885->64886 64889 c11a6a GetTempPathW 64886->64889 64896 c11b3a 64886->64896 64888 c11b68 GetFileVersionInfoSizeW 64888->64876 64888->64877 64904 c69160 64889->64904 64893 c11abe Wow64DisableWow64FsRedirection CopyFileW 64894 c11b10 64893->64894 64895 c11b28 Wow64RevertWow64FsRedirection 64894->64895 64894->64896 64895->64896 64908 c66c0a 64896->64908 64915 bd3ad0 64897->64915 64901 bd3a77 64901->64885 64901->64896 64902 bd39f0 std::locale::_Setgloballocale 64902->64901 64927 c670c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 64902->64927 64905 c11a92 GetTempFileNameW 64904->64905 64906 c11bd0 64905->64906 64907 c11bda 64906->64907 64907->64893 64909 c66c12 64908->64909 64910 c66c13 IsProcessorFeaturePresent 64908->64910 64909->64888 64912 c67225 64910->64912 64974 c671e8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 64912->64974 64914 c67308 64914->64888 64916 bd3b07 64915->64916 64922 bd39c9 64915->64922 64917 c67112 4 API calls 64916->64917 64918 bd3b11 64917->64918 64918->64922 64928 bd3b70 64918->64928 64922->64901 64923 c67112 EnterCriticalSection 64922->64923 64925 c67126 64923->64925 64924 c6712b 64924->64902 64925->64924 64973 c6719a SleepConditionVariableCS WaitForSingleObjectEx EnterCriticalSection 64925->64973 64927->64901 64929 bd3bc6 RegOpenKeyExW 64928->64929 64930 bd3bec RegQueryValueExW RegQueryValueExW 64929->64930 64931 bd3f06 64929->64931 64934 bd3c4f RegQueryValueExW 64930->64934 64935 bd3cab RegQueryValueExW 64930->64935 64932 bd3f21 RegCloseKey 64931->64932 64933 bd3f32 64931->64933 64932->64933 64936 c66c0a _ValidateLocalCookies 5 API calls 64933->64936 64934->64935 64937 bd3c83 64934->64937 64938 bd3cee 64935->64938 64939 bd3b3a 64936->64939 64937->64935 64937->64937 64940 bd3d8d RegQueryValueExW 64938->64940 64943 bd3d2a RegQueryValueExW 64938->64943 64959 c670c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 64939->64959 64941 bd3ddf RegQueryValueExW 64940->64941 64942 bd3dba 64940->64942 64946 bd3e0c 64941->64946 64942->64941 64970 c71db6 51 API calls 3 library calls 64943->64970 64945 bd3d64 64950 bd3d7c 64945->64950 64971 c71db6 51 API calls 3 library calls 64945->64971 64947 bd3ec6 64946->64947 64951 c67112 4 API calls 64946->64951 64948 bd3efa 64947->64948 64949 bd3ed0 GetCurrentProcess IsWow64Process 64947->64949 64960 bd3f50 64948->64960 64949->64948 64952 bd3eee 64949->64952 64950->64940 64954 bd3e89 64951->64954 64952->64948 64954->64947 64956 bd3e95 GetModuleHandleW GetProcAddress 64954->64956 64972 c670c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 64956->64972 64958 bd3ec3 64958->64947 64959->64922 64961 bd3fa8 RegOpenKeyExW 64960->64961 64962 bd3fce RegQueryValueExW 64961->64962 64969 bd4080 64961->64969 64965 bd404f RegQueryValueExW 64962->64965 64968 bd4001 64962->64968 64963 bd424d RegCloseKey 64964 bd425e 64963->64964 64966 c66c0a _ValidateLocalCookies 5 API calls 64964->64966 64965->64969 64967 bd4276 64966->64967 64967->64931 64968->64965 64969->64963 64969->64964 64970->64945 64971->64950 64972->64958 64973->64925 64974->64914 64975 b34cb0 64980 bede50 GetLastError 64975->64980 64976 b34d27 64977 b34d5e 64976->64977 64978 b34d78 SetWindowLongW 64976->64978 64978->64977 64981 bede5a 64980->64981 64994 ad9ae0 64981->64994 64983 bede68 64984 bedecd 64983->64984 64985 bede8e 64983->64985 64986 bedec6 64983->64986 64984->64976 64998 bd1f70 64985->64998 64986->64984 64988 bedf04 DestroyWindow 64986->64988 64988->64976 64989 bede9d 65003 bee0d0 6 API calls 64989->65003 64995 ad9aed 64994->64995 65022 c689ab 64995->65022 64997 ad9afa RtlAllocateHeap 64997->64983 65025 bd3320 LoadLibraryW 64998->65025 65001 bd3320 3 API calls 65002 bd1fa0 SendMessageW SendMessageW 65001->65002 65002->64989 65004 bee16a SetWindowPos 65003->65004 65005 bee163 65003->65005 65006 c66c0a _ValidateLocalCookies 5 API calls 65004->65006 65005->65004 65007 bedea7 65006->65007 65008 b35a70 GetWindowLongW 65007->65008 65009 b35ac6 GetParent GetWindowRect GetParent 65008->65009 65010 b35b0f GetWindow GetWindowRect 65008->65010 65014 b35af1 SetWindowPos 65009->65014 65011 b35b3f MonitorFromWindow 65010->65011 65012 b35b2a GetWindowLongW 65010->65012 65015 b35b53 GetMonitorInfoW 65011->65015 65016 b35c15 65011->65016 65012->65011 65014->65016 65015->65016 65017 b35b6d 65015->65017 65019 c66c0a _ValidateLocalCookies 5 API calls 65016->65019 65017->65014 65018 b35b84 GetWindowRect 65017->65018 65018->65014 65020 b35c2e 65019->65020 65020->64976 65023 c689f2 RaiseException 65022->65023 65024 c689c5 65022->65024 65023->64997 65024->65023 65026 bd337b GetProcAddress 65025->65026 65027 bd338b 65025->65027 65026->65027 65028 bd1f8e 65027->65028 65029 bd33fe FreeLibrary 65027->65029 65028->65001 65029->65028 65030 c7e283 65033 c7dfcf 65030->65033 65032 c7e2b4 65034 c7dfdb std::locale::_Setgloballocale 65033->65034 65039 c7ba2a EnterCriticalSection 65034->65039 65036 c7dfe9 65040 c7e02a 65036->65040 65038 c7dff6 65038->65032 65039->65036 65041 c7e045 65040->65041 65042 c7e0b8 std::_Lockit::_Lockit 65040->65042 65041->65042 65043 c7e098 65041->65043 65050 c7076c 65041->65050 65042->65038 65043->65042 65045 c7076c 43 API calls 65043->65045 65047 c7e0ae 65045->65047 65046 c7e08e 65048 c7edad ___free_lconv_mon 13 API calls 65046->65048 65049 c7edad ___free_lconv_mon 13 API calls 65047->65049 65048->65043 65049->65042 65051 c70794 65050->65051 65052 c70779 65050->65052 65056 c707a3 65051->65056 65072 c8000d 41 API calls 2 library calls 65051->65072 65052->65051 65053 c70785 65052->65053 65071 c6c1bf 13 API calls std::locale::_Setgloballocale 65053->65071 65059 c80040 65056->65059 65058 c7078a std::locale::_Setgloballocale 65058->65046 65060 c80058 65059->65060 65061 c8004d 65059->65061 65062 c80060 65060->65062 65070 c80069 __Getctype 65060->65070 65073 c7ede7 65061->65073 65064 c7edad ___free_lconv_mon 13 API calls 65062->65064 65068 c80055 65064->65068 65065 c8006e 65080 c6c1bf 13 API calls std::locale::_Setgloballocale 65065->65080 65066 c80093 RtlReAllocateHeap 65066->65068 65066->65070 65068->65058 65070->65065 65070->65066 65081 c7d3d3 EnterCriticalSection std::_Facet_Register 65070->65081 65071->65058 65072->65056 65074 c7ee25 65073->65074 65075 c7edf5 __Getctype 65073->65075 65083 c6c1bf 13 API calls std::locale::_Setgloballocale 65074->65083 65075->65074 65076 c7ee10 RtlAllocateHeap 65075->65076 65082 c7d3d3 EnterCriticalSection std::_Facet_Register 65075->65082 65076->65075 65078 c7ee23 65076->65078 65078->65068 65080->65068 65081->65070 65082->65075 65083->65078 65084 bcfcb0 65112 ad6610 65084->65112 65086 bcfd2a 65117 bd01e0 65086->65117 65089 bcfd73 65132 ad78d0 65089->65132 65090 ad78d0 40 API calls 65090->65089 65092 bcfdac 65093 bcfe70 65092->65093 65095 bcfdc9 65092->65095 65096 bcfde5 65092->65096 65136 b9e0c0 65093->65136 65147 ad6c00 41 API calls 65095->65147 65097 ad6610 41 API calls 65096->65097 65100 bcfdd8 65097->65100 65098 bcfe9c 65101 c66c0a _ValidateLocalCookies 5 API calls 65098->65101 65148 ad8d30 65100->65148 65102 bcfebc 65101->65102 65106 bcfe2c 65107 ad78d0 40 API calls 65106->65107 65108 bcfe38 65107->65108 65109 bcfe54 65108->65109 65110 ad78d0 40 API calls 65108->65110 65109->65093 65111 ad78d0 40 API calls 65109->65111 65110->65109 65111->65093 65113 ad6637 65112->65113 65114 ad663e 65113->65114 65161 ad7750 65113->65161 65114->65086 65116 ad6670 std::locale::_Locimp::_Locimp 65116->65086 65118 bd023d 65117->65118 65119 bd0252 65117->65119 65208 ad7160 65118->65208 65121 bd026f 65119->65121 65122 bd025a 65119->65122 65123 bd028c 65121->65123 65124 bd0277 65121->65124 65126 ad7160 41 API calls 65122->65126 65128 bd02a9 65123->65128 65129 bd0294 65123->65129 65127 ad7160 41 API calls 65124->65127 65125 bcfd60 65125->65089 65125->65090 65126->65125 65127->65125 65128->65125 65131 ad7160 41 API calls 65128->65131 65130 ad7160 41 API calls 65129->65130 65130->65125 65131->65125 65133 ad791e std::ios_base::_Ios_base_dtor 65132->65133 65135 ad78fd 65132->65135 65133->65092 65134 c6c0af 40 API calls 65134->65135 65135->65092 65135->65132 65135->65133 65135->65134 65137 b9e0f9 65136->65137 65138 b9e158 RegOpenKeyExW 65136->65138 65140 b9e14b 65137->65140 65141 b9e0fe GetModuleHandleW 65137->65141 65139 b9e151 65138->65139 65142 b9e180 65139->65142 65145 b9e177 RegCloseKey 65139->65145 65140->65138 65140->65139 65143 b9e10d 65141->65143 65144 b9e126 GetProcAddress 65141->65144 65142->65098 65143->65098 65144->65139 65146 b9e136 65144->65146 65145->65142 65146->65139 65147->65100 65149 ad8d70 65148->65149 65149->65149 65150 ad8dc9 65149->65150 65151 ad8d90 65149->65151 65225 ad7150 41 API calls 2 library calls 65150->65225 65221 ad6ea0 65151->65221 65154 ad8dce 65155 ad8da7 65156 ad7070 65155->65156 65157 ad70b7 65156->65157 65160 ad7083 std::locale::_Locimp::_Locimp 65156->65160 65226 ad6f40 41 API calls 2 library calls 65157->65226 65159 ad70c8 65159->65106 65160->65106 65162 ad779b 65161->65162 65163 ad775b 65161->65163 65183 ad7730 65162->65183 65165 ad7764 65163->65165 65166 ad7786 65163->65166 65165->65162 65168 ad776b 65165->65168 65167 ad7796 65166->65167 65176 c66c49 65166->65176 65167->65116 65169 c66c49 std::_Facet_Register 2 API calls 65168->65169 65172 ad7771 65169->65172 65175 ad777a 65172->65175 65200 c6c0af 65172->65200 65175->65116 65177 c66c4e std::_Facet_Register 65176->65177 65178 ad7790 65177->65178 65180 c66c6a std::_Facet_Register 65177->65180 65205 c7d3d3 EnterCriticalSection std::_Facet_Register 65177->65205 65178->65116 65181 c689ab Concurrency::cancel_current_task RaiseException 65180->65181 65182 c678d8 65181->65182 65184 ad773b std::_Facet_Register 65183->65184 65185 c689ab Concurrency::cancel_current_task RaiseException 65184->65185 65186 ad774a 65185->65186 65187 ad779b 65186->65187 65189 ad7764 65186->65189 65190 ad7786 65186->65190 65188 ad7730 41 API calls 65187->65188 65192 ad7771 65188->65192 65189->65187 65193 ad776b 65189->65193 65191 ad7796 65190->65191 65195 c66c49 std::_Facet_Register 2 API calls 65190->65195 65191->65172 65196 c6c0af 40 API calls 65192->65196 65199 ad777a 65192->65199 65194 c66c49 std::_Facet_Register 2 API calls 65193->65194 65194->65192 65197 ad7790 65195->65197 65198 ad77a5 65196->65198 65197->65172 65199->65172 65206 c6bfeb 40 API calls 2 library calls 65200->65206 65202 c6c0be 65207 c6c0cc 11 API calls std::locale::_Setgloballocale 65202->65207 65204 c6c0cb 65205->65177 65206->65202 65207->65204 65211 ad7171 std::locale::_Locimp::_Locimp 65208->65211 65212 ad71ad 65208->65212 65209 ad7261 65220 ad7150 41 API calls 2 library calls 65209->65220 65211->65125 65212->65209 65213 ad7750 41 API calls 65212->65213 65217 ad71f6 std::locale::_Locimp::_Locimp 65213->65217 65214 ad7266 65215 ad7160 41 API calls 65214->65215 65216 ad72d2 65215->65216 65216->65125 65218 ad7245 std::ios_base::_Ios_base_dtor 65217->65218 65219 c6c0af 40 API calls 65217->65219 65218->65125 65219->65209 65220->65214 65222 ad6ecf 65221->65222 65224 ad6ef6 std::locale::_Locimp::_Locimp 65221->65224 65223 ad7750 41 API calls 65222->65223 65223->65224 65224->65155 65225->65154 65226->65159 65227 bc7cb0 65228 bc7cfb 65227->65228 65231 bc7ce8 65227->65231 65235 bb7fd0 54 API calls 3 library calls 65228->65235 65230 bc7d05 65232 ad78d0 40 API calls 65230->65232 65233 c66c0a _ValidateLocalCookies 5 API calls 65231->65233 65232->65231 65234 bc7d4a 65233->65234 65235->65230 65236 ad8720 65237 ad8738 65236->65237 65238 ad872a CloseHandle 65236->65238 65238->65237 65239 be74f0 65303 be7360 65239->65303 65241 be753c 65389 c0b490 GetUserNameW 65241->65389 65244 ad7160 41 API calls 65245 be75b9 65244->65245 65246 be7636 65245->65246 65247 c67112 4 API calls 65245->65247 65248 ad6610 41 API calls 65246->65248 65249 be75dc 65247->65249 65257 be7645 65248->65257 65249->65246 65250 ad7160 41 API calls 65249->65250 65251 be761b 65250->65251 65413 c66fca 43 API calls 65251->65413 65253 c66c49 std::_Facet_Register 2 API calls 65255 be7706 65253->65255 65254 be7625 65414 c670c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 65254->65414 65258 ad7160 41 API calls 65255->65258 65257->65253 65259 be775c 65258->65259 65260 ad7160 41 API calls 65259->65260 65261 be77b9 65260->65261 65415 ad9e20 65303->65415 65306 be74df 65307 ad9ae0 2 API calls 65306->65307 65308 be74e9 65307->65308 65311 be7360 137 API calls 65308->65311 65310 be73c3 65312 be73dc 65310->65312 65313 be73e4 GetTickCount 65310->65313 65314 be753c 65311->65314 65312->65313 65431 c65deb GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __Xtime_get_ticks 65313->65431 65315 c0b490 46 API calls 65314->65315 65317 be754e 65315->65317 65319 ad7160 41 API calls 65317->65319 65318 be73f1 65320 ad9e20 52 API calls 65318->65320 65321 be75b9 65319->65321 65322 be7411 65320->65322 65323 be7636 65321->65323 65324 c67112 4 API calls 65321->65324 65322->65306 65328 be7419 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 65322->65328 65325 ad6610 41 API calls 65323->65325 65326 be75dc 65324->65326 65339 be7645 65325->65339 65326->65323 65327 ad7160 41 API calls 65326->65327 65329 be761b 65327->65329 65432 ad8d10 65328->65432 65448 c66fca 43 API calls 65329->65448 65333 c66c49 std::_Facet_Register 2 API calls 65336 be7706 65333->65336 65334 be7625 65449 c670c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 65334->65449 65341 ad7160 41 API calls 65336->65341 65338 be745c 65436 bfe110 129 API calls 65338->65436 65339->65333 65343 be775c 65341->65343 65342 be746a 65437 ad9620 65342->65437 65346 ad7160 41 API calls 65343->65346 65345 be7479 65345->65241 65347 be77b9 65346->65347 65348 ad6610 41 API calls 65347->65348 65349 be77d5 65348->65349 65350 ad6610 41 API calls 65349->65350 65351 be77e8 65350->65351 65352 ad6610 41 API calls 65351->65352 65353 be77f8 65352->65353 65354 ad6610 41 API calls 65353->65354 65355 be780a 65354->65355 65356 ad78d0 40 API calls 65355->65356 65357 be784e 65356->65357 65358 ad78d0 40 API calls 65357->65358 65359 be7866 65358->65359 65361 ad78d0 40 API calls 65359->65361 65382 be78e3 std::ios_base::_Ios_base_dtor 65359->65382 65360 ad78d0 40 API calls 65363 be7925 65360->65363 65364 be78c0 65361->65364 65362 ad78d0 40 API calls 65365 be7974 65362->65365 65367 ad78d0 40 API calls 65363->65367 65368 ad78d0 40 API calls 65364->65368 65366 ad78d0 40 API calls 65365->65366 65369 be7980 65366->65369 65370 be7937 65367->65370 65371 be78cc 65368->65371 65372 ad78d0 40 API calls 65369->65372 65373 ad78d0 40 API calls 65370->65373 65374 ad78d0 40 API calls 65371->65374 65375 be798f 65372->65375 65376 be7949 65373->65376 65377 be78d8 65374->65377 65378 be79a4 65375->65378 65383 be79d3 GetCurrentProcess OpenProcessToken 65375->65383 65379 ad78d0 40 API calls 65376->65379 65380 ad78d0 40 API calls 65377->65380 65384 c66c0a _ValidateLocalCookies 5 API calls 65378->65384 65381 be7954 std::ios_base::_Ios_base_dtor 65379->65381 65380->65382 65381->65362 65382->65360 65382->65381 65385 be7a19 65383->65385 65386 be79ed GetTokenInformation 65383->65386 65387 be7aa0 65384->65387 65385->65378 65388 be7a4f CloseHandle 65385->65388 65386->65385 65387->65241 65388->65378 65390 c0b524 GetLastError 65389->65390 65391 c0b56e GetEnvironmentVariableW 65389->65391 65390->65391 65392 c0b52f 65390->65392 65393 c0b5ae 65391->65393 65401 c0b5f2 65391->65401 65394 c0b539 65392->65394 65531 b036c0 41 API calls 65392->65531 65395 c0b5b5 65393->65395 65532 b036c0 41 API calls 65393->65532 65396 c0b55c GetUserNameW 65394->65396 65398 c0b5da GetEnvironmentVariableW 65395->65398 65396->65391 65398->65401 65400 c0b648 65403 ad7070 41 API calls 65400->65403 65401->65400 65402 ad7160 41 API calls 65401->65402 65402->65400 65404 c0b65d 65403->65404 65405 ad7070 41 API calls 65404->65405 65406 c0b673 65405->65406 65407 ad78d0 40 API calls 65406->65407 65408 c0b67f 65407->65408 65409 ad78d0 40 API calls 65408->65409 65410 c0b68b 65409->65410 65411 c66c0a _ValidateLocalCookies 5 API calls 65410->65411 65412 be754e 65411->65412 65412->65244 65413->65254 65414->65246 65416 ad9eac 65415->65416 65417 ad9e58 65415->65417 65419 c67112 4 API calls 65416->65419 65429 ad9f37 65416->65429 65418 c67112 4 API calls 65417->65418 65420 ad9e62 65418->65420 65422 ad9ec6 65419->65422 65420->65416 65421 ad9e6e GetProcessHeap 65420->65421 65450 c66fca 43 API calls 65421->65450 65422->65429 65452 c66fca 43 API calls 65422->65452 65424 ad9e9b 65451 c670c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 65424->65451 65427 ad9f26 65453 c670c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 65427->65453 65429->65306 65430 bfdfd0 56 API calls 65429->65430 65430->65310 65431->65318 65454 ad9290 65432->65454 65435 bfdfd0 56 API calls 65435->65338 65436->65342 65438 ad962b 65437->65438 65439 ad963a 65438->65439 65440 ad9653 65438->65440 65441 ad9672 65438->65441 65439->65345 65529 ad98e0 40 API calls 4 library calls 65440->65529 65530 ad9820 42 API calls 65441->65530 65444 ad966a 65444->65345 65445 ad9677 65446 ad9620 42 API calls 65445->65446 65447 ad96b6 65446->65447 65447->65345 65448->65334 65449->65323 65450->65424 65451->65416 65452->65427 65453->65429 65455 ad9361 65454->65455 65456 ad92c3 65454->65456 65457 ad9ae0 2 API calls 65455->65457 65470 ad8d23 65455->65470 65471 c70635 65456->65471 65458 ad93b6 65457->65458 65459 ad9ae0 2 API calls 65458->65459 65461 ad93c0 65459->65461 65462 ad9e20 52 API calls 65464 ad930f 65462->65464 65477 ad91d0 65464->65477 65467 ad9342 65488 c70676 65467->65488 65470->65435 65472 c70649 __Getctype 65471->65472 65494 c6c74f 65472->65494 65478 ad926b 65477->65478 65479 ad9201 65477->65479 65480 ad9ae0 2 API calls 65478->65480 65482 ad9221 65479->65482 65484 ad922e 65479->65484 65481 ad9275 65480->65481 65516 ad9120 50 API calls 65482->65516 65484->65484 65517 ad9990 42 API calls 3 library calls 65484->65517 65486 ad922c 65486->65467 65487 ad9870 42 API calls 65486->65487 65487->65467 65489 c7068a __Getctype 65488->65489 65518 c6c971 65489->65518 65492 c6bddb __Getctype 40 API calls 65493 c706b2 65492->65493 65493->65455 65495 c6c79e 65494->65495 65496 c6c77b 65494->65496 65495->65496 65499 c6c7a6 65495->65499 65511 c6c022 40 API calls 2 library calls 65496->65511 65498 c66c0a _ValidateLocalCookies 5 API calls 65500 c6c8d0 65498->65500 65512 c6ef22 53 API calls __cftof 65499->65512 65505 c6bddb 65500->65505 65502 c6c827 65513 c6e444 13 API calls ___free_lconv_mon 65502->65513 65504 c6c793 65504->65498 65506 c6bde7 65505->65506 65507 c6bdfe 65506->65507 65514 c6be86 40 API calls 2 library calls 65506->65514 65509 ad92e3 65507->65509 65515 c6be86 40 API calls 2 library calls 65507->65515 65509->65458 65509->65462 65509->65464 65511->65504 65512->65502 65513->65504 65514->65507 65515->65509 65516->65486 65517->65486 65519 c6c9a0 65518->65519 65520 c6c97d 65518->65520 65525 c6c9c7 65519->65525 65527 c6c458 53 API calls 2 library calls 65519->65527 65526 c6c022 40 API calls 2 library calls 65520->65526 65524 c6c998 65524->65492 65525->65524 65528 c6c022 40 API calls 2 library calls 65525->65528 65526->65524 65527->65525 65528->65524 65529->65444 65530->65445 65531->65396 65532->65398 65533 c63868 65534 c63807 65533->65534 65534->65533 65536 c642d7 65534->65536 65562 c64035 65536->65562 65538 c642e7 65539 c64344 65538->65539 65540 c64368 65538->65540 65571 c64275 6 API calls 2 library calls 65539->65571 65543 c643e0 LoadLibraryExA 65540->65543 65545 c64441 65540->65545 65546 c6450f 65540->65546 65547 c64453 65540->65547 65542 c6434f RaiseException 65557 c6453d 65542->65557 65544 c643f3 GetLastError 65543->65544 65543->65545 65549 c6441c 65544->65549 65555 c64406 65544->65555 65545->65547 65548 c6444c FreeLibrary 65545->65548 65574 c64275 6 API calls 2 library calls 65546->65574 65547->65546 65550 c644b1 GetProcAddress 65547->65550 65548->65547 65572 c64275 6 API calls 2 library calls 65549->65572 65550->65546 65551 c644c1 GetLastError 65550->65551 65553 c644d4 65551->65553 65553->65546 65573 c64275 6 API calls 2 library calls 65553->65573 65555->65545 65555->65549 65556 c64427 RaiseException 65556->65557 65557->65534 65559 c644f5 RaiseException 65560 c64035 ___delayLoadHelper2@8 6 API calls 65559->65560 65561 c6450c 65560->65561 65561->65546 65563 c64067 65562->65563 65564 c64041 65562->65564 65563->65538 65575 c640de GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 65564->65575 65566 c64046 65567 c64062 65566->65567 65576 c64207 VirtualQuery GetSystemInfo VirtualProtect DloadProtectSection 65566->65576 65577 c64068 GetModuleHandleW GetProcAddress GetProcAddress 65567->65577 65570 c642b0 65570->65538 65571->65542 65572->65556 65573->65559 65574->65557 65575->65566 65576->65567 65577->65570 65578 be4b10 65579 be4b6a GetShortPathNameW 65578->65579 65580 be4b42 65578->65580 65581 be4b7b 65579->65581 65602 be4b4f 65579->65602 65631 bbc9a0 RtlAllocateHeap RaiseException 65580->65631 65583 ad9e20 52 API calls 65581->65583 65591 be4b80 65583->65591 65584 be4b47 65632 ad96e0 65584->65632 65586 be4c67 65587 ad9ae0 2 API calls 65586->65587 65588 be4c71 65587->65588 65589 ad9e20 52 API calls 65588->65589 65592 be4cb1 65589->65592 65590 be4c5d 65594 ad9ae0 2 API calls 65590->65594 65591->65586 65591->65590 65593 be4bc1 65591->65593 65637 ad9870 42 API calls 65591->65637 65595 be4e80 65592->65595 65601 be4cbb 65592->65601 65593->65590 65597 be4bcd GetShortPathNameW 65593->65597 65594->65586 65598 ad9ae0 2 API calls 65595->65598 65600 be4be7 std::_Locinfo::_Locinfo_dtor 65597->65600 65597->65602 65599 be4e8a 65598->65599 65600->65590 65603 be4c04 65600->65603 65648 be4e90 65601->65648 65638 bbc860 44 API calls 65603->65638 65606 be4c1a 65639 aeb580 65606->65639 65607 be4d13 65609 be4e36 65607->65609 65611 ad7160 41 API calls 65607->65611 65774 ad6ad0 40 API calls std::ios_base::_Ios_base_dtor 65609->65774 65613 be4d53 65611->65613 65612 be4e42 65616 c66c0a _ValidateLocalCookies 5 API calls 65612->65616 65614 be4e90 163 API calls 65613->65614 65615 be4d66 65614->65615 65617 ad78d0 40 API calls 65615->65617 65618 be4e7a 65616->65618 65619 be4d75 65617->65619 65619->65609 65620 ad7160 41 API calls 65619->65620 65621 be4db7 65620->65621 65622 be4e90 163 API calls 65621->65622 65623 be4dca 65622->65623 65624 ad78d0 40 API calls 65623->65624 65625 be4dd9 65624->65625 65625->65609 65626 ad7160 41 API calls 65625->65626 65627 be4e17 65626->65627 65628 be4e90 163 API calls 65627->65628 65629 be4e2a 65628->65629 65631->65584 65633 ad9713 65632->65633 65634 ad9722 65632->65634 65633->65634 65635 ad9ae0 2 API calls 65633->65635 65634->65602 65636 ad977c 65635->65636 65637->65593 65638->65606 65640 aeb5e3 65639->65640 65642 aeb596 65639->65642 65640->65602 65641 aeb5d0 65775 ad9990 42 API calls 3 library calls 65641->65775 65642->65641 65643 aeb5a6 65642->65643 65645 ad9620 42 API calls 65643->65645 65647 aeb5ac 65645->65647 65646 aeb5db 65646->65602 65647->65602 65649 ad9e20 52 API calls 65648->65649 65650 be4ec8 65649->65650 65651 be5132 65650->65651 65652 be4ed2 65650->65652 65653 ad9ae0 2 API calls 65651->65653 65806 ae6a60 65652->65806 65654 be513c 65653->65654 65655 ad9ae0 2 API calls 65654->65655 65656 be5146 65655->65656 65659 be51e9 65656->65659 65660 be5474 65656->65660 65734 be5575 65656->65734 65821 c00e90 119 API calls _ValidateLocalCookies 65659->65821 65664 ad9e20 52 API calls 65660->65664 65661 ad9e20 52 API calls 65665 be559b 65661->65665 65662 ae6a60 62 API calls 65666 be4f16 65662->65666 65668 be5479 65664->65668 65669 be58bb 65665->65669 65678 be55bf 65665->65678 65698 be5606 65665->65698 65670 ad9e20 52 API calls 65666->65670 65667 be51ee 65671 be52ec 65667->65671 65672 be51f6 65667->65672 65668->65669 65776 bef920 65668->65776 65673 ad9ae0 2 API calls 65669->65673 65674 be4f1f 65670->65674 65926 adaf70 72 API calls _ValidateLocalCookies 65671->65926 65676 ad9e20 52 API calls 65672->65676 65677 be58c5 65673->65677 65674->65654 65685 be4f29 65674->65685 65682 be51fb 65676->65682 65955 bc4ab0 53 API calls 2 library calls 65678->65955 65680 be5300 65681 be531a 65680->65681 65686 ad78d0 40 API calls 65680->65686 65687 ad78d0 40 API calls 65681->65687 65682->65669 65822 bded40 74 API calls 65682->65822 65684 be55d1 65693 ad8d10 74 API calls 65684->65693 65689 be4f49 65685->65689 65690 be4f54 65685->65690 65686->65681 65691 be535f 65687->65691 65688 be54cb 65951 bd54b0 65688->65951 65818 ad9120 50 API calls 65689->65818 65819 ad9990 42 API calls 3 library calls 65690->65819 65927 c01220 56 API calls std::ios_base::_Ios_base_dtor 65691->65927 65699 be55ef 65693->65699 65703 ad9e20 52 API calls 65698->65703 65704 ad78d0 40 API calls 65699->65704 65700 be4f52 65709 ae6a60 62 API calls 65700->65709 65701 be536e 65928 bc4ab0 53 API calls 2 library calls 65701->65928 65702 be5232 65711 ad9e20 52 API calls 65702->65711 65727 be528c 65702->65727 65735 be565d 65703->65735 65707 be5601 65704->65707 65718 ad9e20 52 API calls 65707->65718 65708 be5384 65716 ae6a60 62 API calls 65708->65716 65712 be4f7a 65709->65712 65713 be5249 65711->65713 65820 bd0a00 42 API calls 2 library calls 65712->65820 65713->65669 65732 be5253 65713->65732 65714 ad7160 41 API calls 65717 be5550 65714->65717 65720 be539c 65716->65720 65954 bc4cc0 52 API calls _ValidateLocalCookies 65717->65954 65722 be5729 65718->65722 65719 be4f99 65729 ae6a60 62 API calls 65719->65729 65929 bd03b0 65720->65929 65722->65669 65737 ad9e20 52 API calls 65722->65737 65723 ad78d0 40 API calls 65726 be589c 65723->65726 65731 c66c0a _ValidateLocalCookies 5 API calls 65726->65731 65925 bde980 121 API calls 65727->65925 65728 be53d4 65945 bbd800 65728->65945 65733 be4fac 65729->65733 65736 be58b5 65731->65736 65732->65727 65732->65732 65823 aeab80 65732->65823 65741 ae6a60 62 API calls 65733->65741 65734->65661 65735->65669 65738 ad8d10 74 API calls 65735->65738 65736->65607 65742 be5758 65737->65742 65743 be56d3 65738->65743 65764 be4fc3 65741->65764 65742->65669 65745 be5762 SHGetFolderPathW 65742->65745 65746 ad8d10 74 API calls 65743->65746 65744 be5404 65749 ad78d0 40 API calls 65744->65749 65753 be578f 65745->65753 65761 be57e2 65745->65761 65748 be56eb 65746->65748 65956 ad6ad0 40 API calls std::ios_base::_Ios_base_dtor 65748->65956 65752 be543d 65749->65752 65754 be545a 65752->65754 65755 be5446 65752->65755 65759 be57a5 PathFileExistsW 65753->65759 65753->65761 65950 be58d0 15 API calls 65754->65950 65949 be58d0 15 API calls 65755->65949 65758 be5455 65765 be52cc 65758->65765 65759->65761 65762 be57b6 65759->65762 65760 be5469 65760->65734 65761->65765 65958 bde980 121 API calls 65761->65958 65957 ad9990 42 API calls 3 library calls 65762->65957 65766 be50ac PathFileExistsW 65764->65766 65767 be50e0 65764->65767 65765->65723 65766->65767 65768 be50b7 65766->65768 65770 c66c0a _ValidateLocalCookies 5 API calls 65767->65770 65768->65767 65771 ad7160 41 API calls 65768->65771 65772 be512c 65770->65772 65773 be50db 65771->65773 65772->65607 65773->65767 65774->65612 65775->65646 65777 bef9d4 65776->65777 65959 bf0c40 65777->65959 65781 befa4f 65782 ad9620 42 API calls 65781->65782 65783 befa84 65782->65783 65784 befbc7 65783->65784 66042 bf2f30 101 API calls 65783->66042 65965 bd4da0 65784->65965 65787 befb0b 65790 aeab80 117 API calls 65787->65790 65792 befb1d 65790->65792 65793 bf0c40 RaiseException 65792->65793 65794 befb72 65793->65794 65794->65784 65795 befc13 65794->65795 66043 ae2a50 RaiseException 65795->66043 65797 befc1f 65798 befd54 65797->65798 65799 befdb5 65797->65799 66044 bf0c90 117 API calls 65798->66044 65801 ad9ae0 2 API calls 65799->65801 65803 befdbf 65801->65803 65802 befd60 65804 aeb580 42 API calls 65802->65804 65805 befd70 65804->65805 65805->65688 65807 ad9e20 52 API calls 65806->65807 65808 ae6a8f 65807->65808 65809 ae6aff 65808->65809 65810 ae6a95 65808->65810 65811 ad9ae0 2 API calls 65809->65811 65813 ae6ab5 65810->65813 65816 ae6ac2 65810->65816 65812 ae6b09 65811->65812 66072 ad9120 50 API calls 65813->66072 65816->65816 66073 ad9990 42 API calls 3 library calls 65816->66073 65817 ae6ac0 65817->65662 65818->65700 65819->65700 65820->65719 65821->65667 65822->65702 65824 aeac04 65823->65824 65826 aeaba2 std::_Locinfo::_Locinfo_dtor 65823->65826 65825 ad9ae0 2 API calls 65824->65825 65835 aeac0e 65824->65835 65827 aeac2b 65825->65827 65826->65824 65828 aeabe7 65826->65828 66074 ad9870 42 API calls 65826->66074 65829 aeacae 65827->65829 65831 aeaca1 FindClose 65827->65831 66075 ad98e0 40 API calls 4 library calls 65828->66075 65833 ad96e0 2 API calls 65829->65833 65831->65829 65834 aeacca 65833->65834 65836 ae6a60 62 API calls 65834->65836 65835->65727 65837 aeacdd 65836->65837 65838 aeaf47 FindFirstFileW 65837->65838 65839 aead02 PathIsUNCW 65837->65839 65908 aeb01c 65837->65908 65842 aeaf5f GetFullPathNameW 65838->65842 65838->65908 65840 aeae4e 65839->65840 65841 aead17 65839->65841 65845 ade830 101 API calls 65840->65845 65843 ade830 101 API calls 65841->65843 65844 aeaf78 65842->65844 65899 aeb0b1 std::_Locinfo::_Locinfo_dtor 65842->65899 65854 aead1f 65843->65854 65847 aeaf93 GetFullPathNameW 65844->65847 66095 ad9870 42 API calls 65844->66095 65864 aeae56 65845->65864 65846 ad9ae0 2 API calls 65848 aeb12c 65846->65848 65850 aeafaf std::_Locinfo::_Locinfo_dtor 65847->65850 65851 ad9620 42 API calls 65848->65851 65852 aeb056 65850->65852 65860 aeafe6 65850->65860 65850->65899 65853 aeb16d 65851->65853 65868 aeb068 _wcsrchr 65852->65868 66096 ad9790 42 API calls 65852->66096 65855 aeb181 65853->65855 65874 aeb1cd 65853->65874 65854->65838 66076 adeae0 65854->66076 65857 ad9620 42 API calls 65855->65857 65863 aeb189 65857->65863 65858 aeb480 65862 ad9ae0 2 API calls 65858->65862 65861 aeb014 SetLastError 65860->65861 65870 aeb00b FindClose 65860->65870 65861->65908 65888 aeb4a8 65862->65888 65863->65727 65864->65838 65865 aeaeed 65864->65865 65864->65899 66092 ad9870 42 API calls 65864->66092 66093 aeb5f0 40 API calls 3 library calls 65865->66093 65866 aead9e 65867 aeb580 42 API calls 65866->65867 65886 aeadb1 65867->65886 65869 aeb088 _wcsrchr 65868->65869 66097 ad9790 42 API calls 65868->66097 65883 aeb09b 65869->65883 65884 aeb0b5 65869->65884 65870->65861 65873 aeb1fe 66101 aeb660 54 API calls 65873->66101 65874->65858 65874->65873 66100 aeb710 42 API calls 65874->66100 65875 aeae3d 66094 ae69c0 40 API calls 4 library calls 65875->66094 65878 aeb55e 65878->65727 65880 aeb209 65882 aeab80 109 API calls 65880->65882 65883->65899 65883->65908 66098 ad9790 42 API calls 65883->66098 65884->65899 66099 ad9790 42 API calls 65884->66099 65886->65899 65888->65878 65893 aeb518 65888->65893 65909 aeb54d 65888->65909 66107 ad9870 42 API calls 65888->66107 65898 aeaf23 65898->65838 65898->65899 65899->65846 65899->65908 65908->65727 65909->65878 65925->65765 65926->65680 65927->65701 65928->65708 65930 bd03fb 65929->65930 65931 bd03ea 65929->65931 65932 ad9620 42 API calls 65930->65932 65934 bd044b 65930->65934 65931->65930 65933 bd048d 65931->65933 65932->65934 65935 ad9ae0 2 API calls 65933->65935 65934->65728 65936 bd0497 65935->65936 65937 bd04c4 65936->65937 65938 bd0501 65936->65938 66111 c79151 14 API calls __Getctype 65937->66111 65938->65728 65947 bbd82c 65945->65947 65948 bbd869 65945->65948 66112 c70746 65947->66112 65948->65744 65949->65758 65950->65760 65952 adeae0 101 API calls 65951->65952 65953 bd54e1 65952->65953 65953->65714 65955->65684 65956->65707 65957->65761 65958->65765 65960 bef9db 65959->65960 65961 bf0c50 65959->65961 65964 ae2a50 RaiseException 65960->65964 65961->65960 66045 ae2a50 RaiseException 65961->66045 65963 bf0c81 65964->65781 65966 ad9620 42 API calls 65965->65966 65967 bd4de3 65966->65967 65968 aeab80 117 API calls 65967->65968 65969 bd4e2a 65968->65969 66046 bb84f0 65969->66046 65973 c66c0a _ValidateLocalCookies 5 API calls 65975 bd4f8a 65973->65975 65974 bd4edd GetFileAttributesW 65977 bd4e32 65974->65977 65980 bd4fa0 65975->65980 65976 bd4f41 66053 bb85a0 65976->66053 65977->65974 65977->65976 65978 bd4da0 118 API calls 65977->65978 65979 bd4f26 FindNextFileW 65977->65979 65978->65974 65979->65976 65979->65977 65981 bd4fd6 65980->65981 65982 bd5070 RemoveDirectoryW 65980->65982 65984 bd54b0 101 API calls 65981->65984 66042->65787 66043->65797 66044->65802 66045->65963 66047 bb8552 std::locale::_Setgloballocale 66046->66047 66048 ad9e20 52 API calls 66047->66048 66049 bb856a 66048->66049 66050 bb8570 66049->66050 66051 ad9ae0 2 API calls 66049->66051 66050->65977 66052 bb859e 66051->66052 66055 bb85f1 66053->66055 66054 bb863a 66054->65973 66055->66054 66056 bb862d FindClose 66055->66056 66056->66054 66072->65817 66073->65817 66074->65828 66075->65824 66077 adebde 66076->66077 66078 adeb37 66076->66078 66079 ad9ae0 2 API calls 66077->66079 66080 adeb8a 66078->66080 66082 adeb5a 66078->66082 66081 adebe8 66079->66081 66085 ad9e20 52 API calls 66080->66085 66087 adeb9f 66080->66087 66084 ad9620 42 API calls 66082->66084 66086 adeb62 66084->66086 66085->66087 66086->65866 66110 adebf0 89 API calls 4 library calls 66087->66110 66089 adebb9 66089->65866 66092->65865 66093->65875 66094->65898 66095->65847 66096->65868 66097->65869 66098->65899 66099->65899 66100->65873 66101->65880 66107->65893 66110->66089 66113 c7edad ___free_lconv_mon 13 API calls 66112->66113 66114 c7075e 66113->66114 66114->65948 66115 bea370 66206 beb460 337 API calls 5 library calls 66115->66206 66117 bea3a5 66207 beea30 103 API calls 2 library calls 66117->66207 66119 bea3ad 66144 bf5210 66119->66144 66123 bea3c6 66124 bea3ca 66123->66124 66187 bdb9d0 55 API calls 66123->66187 66126 bea3f4 66188 be7060 66126->66188 66145 aeb580 42 API calls 66144->66145 66146 bf523f 66145->66146 66147 aeb580 42 API calls 66146->66147 66148 bf524b 66147->66148 66208 c11e30 66148->66208 66150 bf5253 66233 bfd930 63 API calls _ValidateLocalCookies 66150->66233 66152 bf5260 66153 ad8d10 74 API calls 66152->66153 66154 bea3bf 66153->66154 66155 beef60 66154->66155 66156 beefb8 66155->66156 66164 beef97 66155->66164 66157 bef16e 66156->66157 66158 beefe6 CreateFileW 66156->66158 66168 beefd8 66156->66168 66159 ad9ae0 2 API calls 66157->66159 66160 bef00f 66158->66160 66163 bef178 66159->66163 66161 bef036 GetLastError 66160->66161 66162 bef0b7 66160->66162 66255 bd3200 76 API calls 66161->66255 66239 c100c0 66162->66239 66164->66156 66164->66157 66253 aeb710 42 API calls 66164->66253 66168->66158 66254 aeb710 42 API calls 66168->66254 66169 bef0c0 66172 bef14e 66169->66172 66173 bef0ca 66169->66173 66170 bef04d 66174 bd54b0 101 API calls 66170->66174 66248 bf0df0 66172->66248 66176 bef0cf GetLastError 66173->66176 66177 bef115 66173->66177 66178 bef065 66174->66178 66257 bd3200 76 API calls 66176->66257 66177->66123 66256 bded40 74 API calls 66178->66256 66181 bef0e9 66183 bd54b0 101 API calls 66181->66183 66185 bef0fd 66183->66185 66184 bef07b 66184->66123 66258 bded40 74 API calls 66185->66258 66187->66126 66321 bef260 66188->66321 66191 be70b3 CreateFileW 66192 be70f1 SetFilePointer 66191->66192 66196 be70e0 CloseHandle 66191->66196 66194 be711e 66192->66194 66203 be716d 66192->66203 66351 bb5b30 66194->66351 66204 be719a 66196->66204 66203->66196 66203->66204 66205 bdcce0 173 API calls 66204->66205 66206->66117 66207->66119 66209 ad9620 42 API calls 66208->66209 66210 c11e6f 66209->66210 66211 c11e90 GetFileVersionInfoSizeW 66210->66211 66234 ad9790 42 API calls 66210->66234 66214 c11eb5 66211->66214 66215 c11ea8 66211->66215 66213 c11e8d 66213->66211 66214->66150 66215->66214 66216 c11eda GetFileVersionInfoW 66215->66216 66235 ad9790 42 API calls 66215->66235 66216->66214 66218 c11ef1 66216->66218 66220 ad9e20 52 API calls 66218->66220 66219 c11ed7 66219->66216 66221 c11ef6 66220->66221 66222 c12040 66221->66222 66227 c11f00 66221->66227 66223 ad9ae0 2 API calls 66222->66223 66224 c1204a 66223->66224 66238 c12070 WaitForSingleObject GetExitCodeThread TerminateThread CloseHandle 66224->66238 66226 c12058 std::ios_base::_Ios_base_dtor 66226->66150 66228 ad8d10 74 API calls 66227->66228 66229 c11f58 66228->66229 66231 c11f6f 66229->66231 66236 ad9790 42 API calls 66229->66236 66231->66214 66237 ad9990 42 API calls 3 library calls 66231->66237 66233->66152 66234->66213 66235->66219 66236->66231 66237->66214 66238->66226 66244 c10106 66239->66244 66240 c1015b SetFilePointer 66242 c10182 ReadFile 66240->66242 66243 c10174 GetLastError 66240->66243 66241 c1010d 66241->66169 66242->66241 66242->66244 66243->66241 66243->66242 66244->66240 66244->66241 66245 c10236 SetFilePointer 66244->66245 66245->66241 66246 c1025e ReadFile 66245->66246 66246->66241 66247 c10275 66246->66247 66247->66241 66259 bf19d0 66248->66259 66250 bef15c 66250->66123 66251 bf0dff 66251->66250 66278 bf1ea0 66251->66278 66253->66156 66254->66158 66255->66170 66256->66184 66257->66181 66258->66177 66260 bf1abd 66259->66260 66261 bf1a1b SetFilePointer 66259->66261 66260->66251 66261->66260 66262 bf1ad1 66261->66262 66263 ad9e20 52 API calls 66262->66263 66265 bf1af1 66263->66265 66264 bf1e0f 66266 ad9ae0 2 API calls 66264->66266 66265->66264 66268 bf1b2f ReadFile 66265->66268 66273 bf1cd5 66265->66273 66267 bf1e19 66266->66267 66313 ae2a50 RaiseException 66267->66313 66270 bf1d91 GetLastError 66268->66270 66268->66273 66311 bd3200 76 API calls 66270->66311 66271 bf1e25 66271->66251 66273->66251 66274 bf1dae 66275 bd54b0 101 API calls 66274->66275 66276 bf1dc8 66275->66276 66312 bded40 74 API calls 66276->66312 66279 bf1edb SetFilePointer 66278->66279 66289 bf215c 66278->66289 66280 bf1f8a 66279->66280 66281 bf1f06 GetLastError 66279->66281 66282 bf1fb0 ReadFile 66280->66282 66280->66289 66314 bd3200 76 API calls 66281->66314 66285 bf2233 GetLastError 66282->66285 66308 bf1fd2 66282->66308 66284 bf1f20 66286 bd54b0 101 API calls 66284->66286 66319 bd3200 76 API calls 66285->66319 66288 bf1f38 66286->66288 66315 bded40 74 API calls 66288->66315 66289->66250 66290 bf2250 66292 bd54b0 101 API calls 66290->66292 66291 ad9e20 52 API calls 66291->66308 66295 bf2265 66292->66295 66293 bf22a9 66297 ad9ae0 2 API calls 66293->66297 66320 bded40 74 API calls 66295->66320 66296 bf1f4e 66296->66250 66299 bf22b3 66297->66299 66300 bf2032 ReadFile 66301 bf2189 GetLastError 66300->66301 66300->66308 66317 bd3200 76 API calls 66301->66317 66303 bf21a6 66306 bd54b0 101 API calls 66303->66306 66305 bf21d3 66305->66289 66307 bf21bb 66306->66307 66318 bded40 74 API calls 66307->66318 66308->66282 66308->66285 66308->66289 66308->66291 66308->66293 66308->66300 66308->66301 66308->66305 66310 ad9620 42 API calls 66308->66310 66316 ad9990 42 API calls 3 library calls 66308->66316 66310->66308 66311->66274 66312->66264 66313->66271 66314->66284 66315->66296 66316->66308 66317->66303 66318->66305 66319->66290 66320->66305 66322 bef307 66321->66322 66323 bef2c3 66321->66323 66324 bf0c40 RaiseException 66322->66324 66378 bf0be0 RaiseException 66323->66378 66326 bef30e 66324->66326 66328 bef3ca 66326->66328 66329 bef316 66326->66329 66327 bef2cc 66327->66328 66330 bef2d6 66327->66330 66331 ad9e20 52 API calls 66328->66331 66332 bef322 66329->66332 66333 bef423 66329->66333 66330->66333 66334 bef2df 66330->66334 66335 bef3de 66331->66335 66379 bf0c90 117 API calls 66332->66379 66380 ae2a50 RaiseException 66333->66380 66338 ad9620 42 API calls 66334->66338 66339 bef42f 66335->66339 66340 bef2fd 66335->66340 66338->66340 66343 ad9ae0 2 API calls 66339->66343 66346 c66c0a _ValidateLocalCookies 5 API calls 66340->66346 66341 bef337 FindFirstFileW 66342 bef369 66341->66342 66344 ad9620 42 API calls 66342->66344 66345 bef439 66343->66345 66347 bef379 66344->66347 66348 be709c 66346->66348 66349 bef398 FindClose 66347->66349 66350 bef3a6 66347->66350 66348->66191 66348->66204 66349->66350 66350->66340 66352 ad9e20 52 API calls 66351->66352 66378->66327 66379->66341 66380->66339 66385 afa260 66386 afa2cb 66385->66386 66388 afa295 std::ios_base::_Ios_base_dtor 66385->66388 66387 ad78d0 40 API calls 66387->66388 66388->66386 66388->66387 66389 c1ff90 66400 c1f8c0 66389->66400 66392 c1ffba 66409 c20060 66392->66409 66394 ad7160 41 API calls 66394->66392 66401 ad7160 41 API calls 66400->66401 66402 c1f8d8 66401->66402 66403 c1f8f0 66402->66403 66404 ad78d0 40 API calls 66402->66404 66481 c21d20 66403->66481 66404->66402 66406 c1f908 66407 c1f92e 66406->66407 66485 ad8590 40 API calls std::ios_base::_Ios_base_dtor 66406->66485 66407->66392 66407->66394 66410 c200aa 66409->66410 66438 c203b1 66409->66438 66412 ad7160 41 API calls 66410->66412 66411 c66c0a _ValidateLocalCookies 5 API calls 66413 c1ffca 66411->66413 66414 c200d0 66412->66414 66446 c203e0 66413->66446 66415 c20272 66414->66415 66431 c200df 66414->66431 66416 ad7070 41 API calls 66415->66416 66417 c201c2 66416->66417 66418 ad8d30 41 API calls 66417->66418 66419 c201d6 66418->66419 66487 ad8dd0 66419->66487 66420 ad7070 41 API calls 66420->66431 66422 ad7160 41 API calls 66422->66431 66425 ad7070 41 API calls 66426 c20205 66425->66426 66428 ad78d0 40 API calls 66426->66428 66427 ad8dd0 41 API calls 66427->66431 66429 c20211 66428->66429 66430 ad78d0 40 API calls 66429->66430 66432 c2021d 66430->66432 66431->66417 66431->66420 66431->66422 66431->66427 66435 ad78d0 40 API calls 66431->66435 66491 af9550 41 API calls 66431->66491 66433 ad7070 41 API calls 66432->66433 66444 c2024e 66432->66444 66434 c20230 66433->66434 66434->66434 66436 ad7070 41 API calls 66434->66436 66435->66431 66436->66444 66437 ad78d0 40 API calls 66437->66438 66438->66411 66439 ad7160 41 API calls 66439->66444 66441 ad8dd0 41 API calls 66441->66444 66442 ad7070 41 API calls 66442->66444 66443 ad78d0 40 API calls 66443->66444 66444->66439 66444->66441 66444->66442 66444->66443 66445 c20356 66444->66445 66492 af9550 41 API calls 66444->66492 66445->66437 66450 c20421 66446->66450 66451 c20428 66446->66451 66447 c66c0a _ValidateLocalCookies 5 API calls 66448 c1ffd1 66447->66448 66456 c205c0 66448->66456 66450->66447 66451->66451 66452 ad7160 41 API calls 66451->66452 66454 c204f1 66451->66454 66493 b01a50 41 API calls 66451->66493 66452->66451 66454->66450 66494 c70f41 51 API calls 66454->66494 66495 c21990 42 API calls std::locale::_Locimp::_Locimp 66454->66495 66457 c20d83 66456->66457 66475 c20620 std::ios_base::_Ios_base_dtor std::locale::_Setgloballocale 66456->66475 66458 c66c0a _ValidateLocalCookies 5 API calls 66457->66458 66459 c1ffdc 66458->66459 66460 c66c49 std::_Facet_Register 2 API calls 66460->66475 66464 c21840 42 API calls 66464->66475 66466 ad7160 41 API calls 66466->66475 66468 ad78d0 40 API calls 66468->66475 66474 ad8dd0 41 API calls 66474->66475 66475->66457 66475->66460 66475->66464 66475->66466 66475->66468 66475->66474 66480 c20af7 66475->66480 66496 c21da0 66475->66496 66530 bc7e10 41 API calls 2 library calls 66475->66530 66531 b036c0 41 API calls 66475->66531 66532 c1f560 51 API calls __Init_thread_footer 66475->66532 66533 bcd180 41 API calls 4 library calls 66475->66533 66535 bd1de0 41 API calls 4 library calls 66475->66535 66536 c22150 41 API calls std::locale::_Locimp::_Locimp 66475->66536 66537 c21af0 41 API calls 3 library calls 66475->66537 66538 ad8590 40 API calls std::ios_base::_Ios_base_dtor 66475->66538 66539 c22060 66475->66539 66544 afac90 40 API calls std::ios_base::_Ios_base_dtor 66475->66544 66477 ad7070 41 API calls 66477->66480 66478 ad78d0 40 API calls 66478->66480 66480->66475 66480->66477 66480->66478 66534 c1fe40 44 API calls std::locale::_Setgloballocale 66480->66534 66482 c21d52 std::ios_base::_Ios_base_dtor 66481->66482 66483 c21d86 66481->66483 66482->66483 66486 afac90 40 API calls std::ios_base::_Ios_base_dtor 66482->66486 66483->66406 66485->66406 66486->66482 66488 ad8e10 66487->66488 66488->66488 66489 ad7070 41 API calls 66488->66489 66490 ad8e2b 66489->66490 66490->66425 66491->66431 66492->66444 66493->66451 66494->66454 66495->66454 66497 c21f97 66496->66497 66502 c21df0 66496->66502 66547 ad6ac0 41 API calls 66497->66547 66499 c21f92 66500 ad7730 41 API calls 66499->66500 66500->66497 66501 c21f38 66503 c6c0af 40 API calls 66501->66503 66529 c21f5d std::ios_base::_Ios_base_dtor 66501->66529 66502->66499 66504 c21e63 66502->66504 66505 c21e3c 66502->66505 66506 c21fa1 66503->66506 66508 c66c49 std::_Facet_Register 2 API calls 66504->66508 66511 c21e4d 66504->66511 66505->66499 66507 c21e47 66505->66507 66509 c21d20 40 API calls 66506->66509 66510 c66c49 std::_Facet_Register 2 API calls 66507->66510 66508->66511 66512 c21fad 66509->66512 66510->66511 66511->66501 66513 c22060 41 API calls 66511->66513 66548 aefc70 40 API calls std::ios_base::_Ios_base_dtor 66512->66548 66515 c21e9f 66513->66515 66517 c21eb1 66515->66517 66518 c21efe 66515->66518 66516 c21fbb 66519 c689ab Concurrency::cancel_current_task RaiseException 66516->66519 66523 c21ee4 66517->66523 66526 c22060 41 API calls 66517->66526 66545 c223e0 41 API calls std::_Facet_Register 66518->66545 66521 c21fc4 66519->66521 66522 c21f09 66546 c223e0 41 API calls std::_Facet_Register 66522->66546 66524 c21d20 40 API calls 66523->66524 66527 c21ef3 66524->66527 66526->66517 66528 c21d20 40 API calls 66527->66528 66527->66529 66528->66501 66529->66475 66530->66475 66531->66475 66532->66475 66533->66475 66534->66480 66535->66475 66536->66475 66537->66475 66538->66475 66540 c66c49 std::_Facet_Register 2 API calls 66539->66540 66541 c220a9 66540->66541 66549 c22550 66541->66549 66543 c220d7 66543->66475 66543->66543 66544->66475 66545->66522 66546->66527 66548->66516 66550 c22592 66549->66550 66560 c2263f 66549->66560 66551 c66c49 std::_Facet_Register 2 API calls 66550->66551 66552 c225b4 66551->66552 66553 ad6610 41 API calls 66552->66553 66554 c225ca 66553->66554 66555 ad6610 41 API calls 66554->66555 66556 c225da 66555->66556 66557 c22550 41 API calls 66556->66557 66558 c2262e 66557->66558 66559 c22550 41 API calls 66558->66559 66559->66560 66560->66543 66561 c67470 66562 c66c49 std::_Facet_Register 2 API calls 66561->66562 66563 c674a5 66562->66563 66564 b92620 GetSystemDirectoryW 66565 b9266f 66564->66565 66587 b9272b 66564->66587 66567 ad9e20 52 API calls 66565->66567 66565->66587 66566 c66c0a _ValidateLocalCookies 5 API calls 66568 b9277b 66566->66568 66569 b9267f 66567->66569 66570 b92689 66569->66570 66571 b92783 66569->66571 66574 b926b3 66570->66574 66575 b926a5 66570->66575 66572 ad9ae0 2 API calls 66571->66572 66573 b9278d 66572->66573 66576 c66c49 std::_Facet_Register 2 API calls 66573->66576 66590 ad9990 42 API calls 3 library calls 66574->66590 66589 ad9120 50 API calls 66575->66589 66578 b928e2 66576->66578 66591 ae7990 41 API calls 2 library calls 66578->66591 66579 b926b1 66583 aeab80 117 API calls 66579->66583 66581 b9292a 66584 b926f2 66583->66584 66585 aeab80 117 API calls 66584->66585 66586 b92719 _wcschr 66585->66586 66586->66587 66588 b9272f LoadLibraryExW 66586->66588 66587->66566 66588->66587 66589->66579 66590->66579 66591->66581 66592 bbebe0 66593 bbec19 66592->66593 66594 bbec82 RegCreateKeyExW 66592->66594 66595 bbec1e GetModuleHandleW 66593->66595 66596 bbec75 66593->66596 66597 bbec7b 66594->66597 66598 bbec2d 66595->66598 66599 bbec46 GetProcAddress 66595->66599 66596->66594 66596->66597 66600 bbecb4 66597->66600 66601 bbecab RegCloseKey 66597->66601 66599->66597 66602 bbec56 66599->66602 66601->66600 66602->66597 66603 bb8dc0 66604 bb8df7 66603->66604 66610 bb8e37 66603->66610 66605 c67112 4 API calls 66604->66605 66606 bb8e01 66605->66606 66606->66610 66611 c66fca 43 API calls 66606->66611 66608 bb8e23 66612 c670c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 66608->66612 66611->66608 66612->66610 66613 ad9cf0 66614 ad9d34 66613->66614 66615 ad9cfc 66613->66615 66615->66614 66616 ad9ae0 2 API calls 66615->66616 66616->66614 66617 ad2770 66618 c66c49 std::_Facet_Register 2 API calls 66617->66618 66619 ad27ac 66618->66619 66624 bac150 66619->66624 66621 ad2812 66668 c66fca 43 API calls 66621->66668 66623 ad2823 66625 bac176 66624->66625 66638 bac1f9 std::ios_base::_Ios_base_dtor 66624->66638 66626 bac28a 66625->66626 66628 bac1b8 66625->66628 66629 bac18d 66625->66629 66627 ad7730 41 API calls 66626->66627 66630 bac28f 66627->66630 66631 c66c49 std::_Facet_Register 2 API calls 66628->66631 66635 bac19e 66628->66635 66629->66626 66634 c66c49 std::_Facet_Register 2 API calls 66629->66634 66632 bac300 66630->66632 66633 bac4a5 66630->66633 66631->66635 66687 afa5e0 41 API calls 2 library calls 66632->66687 66688 ad6ac0 41 API calls 66633->66688 66634->66635 66635->66638 66640 c6c0af 40 API calls 66635->66640 66637 bac3fa 66641 c6c0af 40 API calls 66637->66641 66658 bac438 std::ios_base::_Ios_base_dtor 66637->66658 66638->66621 66638->66638 66640->66626 66647 bac4af 66641->66647 66642 bac342 66643 ad6610 41 API calls 66642->66643 66660 bac381 66643->66660 66644 bac672 66689 ad6ac0 41 API calls 66644->66689 66646 bac66d 66648 ad7730 41 API calls 66646->66648 66647->66644 66647->66646 66650 bac54d 66647->66650 66651 bac577 66647->66651 66648->66644 66649 c6c0af 40 API calls 66652 bac67c 66649->66652 66650->66646 66653 bac558 66650->66653 66656 c66c49 std::_Facet_Register 2 API calls 66651->66656 66662 bac55e std::locale::_Locimp::_Locimp 66651->66662 66669 b01930 66652->66669 66655 c66c49 std::_Facet_Register 2 API calls 66653->66655 66655->66662 66656->66662 66657 bac687 66659 c689ab Concurrency::cancel_current_task RaiseException 66657->66659 66658->66621 66667 bac690 std::ios_base::_Ios_base_dtor 66659->66667 66660->66637 66660->66658 66661 ad78d0 40 API calls 66660->66661 66661->66660 66662->66649 66665 bac62f std::ios_base::_Ios_base_dtor 66662->66665 66663 bac70e 66663->66621 66665->66621 66666 ad78d0 40 API calls 66666->66667 66667->66663 66667->66666 66674 af53c0 66667->66674 66668->66623 66670 b01947 66669->66670 66671 b01957 std::ios_base::_Ios_base_dtor 66669->66671 66670->66671 66672 c6c0af 40 API calls 66670->66672 66671->66657 66673 b0196b 66672->66673 66690 af8ea0 66674->66690 66676 af53fb 66677 ad78d0 40 API calls 66676->66677 66678 af5407 66677->66678 66679 ad78d0 40 API calls 66678->66679 66680 af5413 66679->66680 66681 ad78d0 40 API calls 66680->66681 66682 af541f 66681->66682 66683 ad78d0 40 API calls 66682->66683 66684 af542b 66683->66684 66685 ad78d0 40 API calls 66684->66685 66686 af5439 66685->66686 66686->66667 66687->66642 66693 af8f37 std::ios_base::_Ios_base_dtor 66690->66693 66694 af8ed2 66690->66694 66691 af8ef9 66691->66693 66695 c6c0af 40 API calls 66691->66695 66692 ad78d0 40 API calls 66692->66694 66693->66676 66694->66691 66694->66692 66696 af8f6e 66695->66696 66697 be8c40 66979 c0c850 66697->66979 66699 be8c70 66700 ad9e20 52 API calls 66699->66700 66701 be8c7c 66700->66701 66702 be8f93 66701->66702 66705 be8caf 66701->66705 66706 be8ca4 66701->66706 66703 ad9ae0 2 API calls 66702->66703 66704 be8f9d 66703->66704 66708 ad9e20 52 API calls 66704->66708 66726 be9006 66704->66726 67238 ad9990 42 API calls 3 library calls 66705->67238 67237 ad9120 50 API calls 66706->67237 66711 be8fd4 66708->66711 66710 be8cad 66985 bd9e30 66710->66985 66713 be8fda 66711->66713 66714 be9046 66711->66714 66719 aeab80 117 API calls 66713->66719 66716 ad9ae0 2 API calls 66714->66716 66715 be8ce3 66717 ad9e20 52 API calls 66715->66717 66718 be9050 66716->66718 66720 be8ceb 66717->66720 67050 bfe0c0 66718->67050 66722 be8ffb 66719->66722 66720->66702 66992 bbca40 66720->66992 67256 bf56a0 129 API calls 66722->67256 66725 ae6a60 62 API calls 66727 be90cb 66725->66727 67257 bf4d00 66727->67257 66729 be9478 66731 ad9e20 52 API calls 66729->66731 66774 be94ef 66729->66774 66736 be948d 66731->66736 66732 be8d1d 67005 bde2f0 66732->67005 66740 be9586 66736->66740 66741 be9497 66736->66741 66738 be928a 66742 ad9e20 52 API calls 66738->66742 66745 ad9ae0 2 API calls 66740->66745 66756 aeab80 117 API calls 66741->66756 66746 be9298 66742->66746 66744 c66c0a _ValidateLocalCookies 5 API calls 66748 be9560 66744->66748 66749 be9590 66745->66749 66750 be9568 66746->66750 66751 be92a2 66746->66751 66755 be95da 66749->66755 66759 ad9e20 52 API calls 66749->66759 66753 ad9ae0 2 API calls 66750->66753 66761 bbca40 11 API calls 66751->66761 66757 be9572 66753->66757 66760 be94b8 66756->66760 66762 ad9ae0 2 API calls 66757->66762 66764 be9628 66759->66764 67055 bf4f10 66760->67055 66766 be92ba 66761->66766 66767 be957c 66762->66767 66768 be9826 66764->66768 66779 be965b 66764->66779 66780 be9650 66764->66780 66770 be92c7 66766->66770 67277 bbd3d0 42 API calls 4 library calls 66766->67277 66771 ad9ae0 2 API calls 66767->66771 66769 ad9ae0 2 API calls 66768->66769 66776 be9830 66769->66776 66778 c70746 __freea 13 API calls 66770->66778 66810 be92db 66770->66810 66771->66740 66773 be90e4 66848 be91e9 66773->66848 67275 bf48d0 43 API calls 66773->67275 67076 bf4320 66774->67076 67106 ae2a50 RaiseException 66776->67106 66778->66810 67281 ad9990 42 API calls 3 library calls 66779->67281 67280 ad9120 50 API calls 66780->67280 66781 be94c7 66781->66774 66784 aeab80 117 API calls 66781->66784 66784->66774 66786 be983c 67107 beb670 337 API calls 3 library calls 66786->67107 66787 be8d4f 66788 be8ded 66787->66788 66789 be8e42 SetEvent 66787->66789 67240 bf3960 66788->67240 67037 c0ced0 66789->67037 66790 be9659 67282 bd2bd0 103 API calls 66790->67282 66795 be9871 66799 ad9e20 52 API calls 66795->66799 66798 be8ea7 66803 be8ef8 66798->66803 66809 bf3960 17 API calls 66798->66809 66888 be9882 66799->66888 66800 ad9e20 52 API calls 66804 be935e 66800->66804 66802 ad9e20 52 API calls 66807 be8dfa 66802->66807 66881 be8f2c 66803->66881 67254 c0cdf0 122 API calls 66803->67254 66804->66757 66812 be9368 66804->66812 66807->66702 66815 be8e02 66807->66815 66808 be93e6 67279 bf48d0 43 API calls 66808->67279 66818 be8eb7 66809->66818 66810->66800 66858 be938f 66810->66858 66811 be9ace 66816 ad9ae0 2 API calls 66811->66816 66824 aeab80 117 API calls 66812->66824 66814 be8f52 67255 c0c9f0 CloseHandle 66814->67255 66834 bf55f0 94 API calls 66815->66834 66820 be9ad8 66816->66820 66823 ad9e20 52 API calls 66818->66823 67108 bfd930 63 API calls _ValidateLocalCookies 66820->67108 66821 bbd800 13 API calls 66828 be9803 66821->66828 66829 be8ebc 66823->66829 66831 be9386 66824->66831 66836 bbd800 13 API calls 66828->66836 66829->66702 66838 be8ec4 66829->66838 66830 be993a 66839 ad9e20 52 API calls 66830->66839 67278 bf56a0 129 API calls 66831->67278 66833 be8f7d 66842 be8e24 66834->66842 66835 be9b21 66843 ad9e20 52 API calls 66835->66843 66844 be9812 66836->66844 66854 bef440 245 API calls 66838->66854 66863 be9942 66839->66863 66840 bbd800 13 API calls 66887 be9679 66840->66887 66849 bef440 245 API calls 66842->66849 66850 be9b2d 66843->66850 66846 ad9e20 52 API calls 66846->66887 66847 aeb710 42 API calls 66847->66888 66848->66729 66880 be9445 66848->66880 67276 bed570 50 API calls 66848->67276 66852 be8e31 SetEvent 66849->66852 66853 bea0c9 66850->66853 67109 beb670 337 API calls 3 library calls 66850->67109 66852->66814 66857 ad9ae0 2 API calls 66853->66857 66856 be8ee7 66854->66856 67253 c0cb80 122 API calls std::_Locinfo::_Locinfo_dtor 66856->67253 66864 bea0d3 66857->66864 66858->66729 66858->66808 66862 be996c 66869 be9983 66862->66869 67290 ad9790 42 API calls 66862->67290 66863->66811 66863->66862 67289 ad9790 42 API calls 66863->67289 67302 ae2a50 RaiseException 66864->67302 66865 aeab80 117 API calls 66865->66888 67291 bfd930 63 API calls _ValidateLocalCookies 66869->67291 66872 be9b51 66879 ad8d10 74 API calls 66872->66879 66875 bea0df 66876 be9993 66882 ad8d10 74 API calls 66876->66882 66883 be9b63 66879->66883 66880->66744 66881->66803 66884 be99a4 66882->66884 67294 beb460 337 API calls 5 library calls 66883->67294 66890 ad9e20 52 API calls 66884->66890 66887->66768 66887->66776 66887->66840 66887->66846 66902 be9776 66887->66902 66923 be97e7 66887->66923 67283 ad9120 50 API calls 66887->67283 67284 ad9990 42 API calls 3 library calls 66887->67284 67285 bd2bd0 103 API calls 66887->67285 67286 bed650 43 API calls 66887->67286 66888->66811 66888->66830 66888->66847 66888->66865 67288 bfd930 63 API calls _ValidateLocalCookies 66888->67288 66892 be99ca 66890->66892 66891 be9b91 67295 beea30 103 API calls 2 library calls 66891->67295 66892->66811 66894 be99d2 66892->66894 66899 be99f7 66894->66899 67292 ad9790 42 API calls 66894->67292 66896 be9b99 67293 bfd930 63 API calls _ValidateLocalCookies 66899->67293 66904 ad9e20 52 API calls 66902->66904 66903 be9a07 66908 be977e 66904->66908 66908->66768 66911 be9786 66908->66911 66915 bbca40 11 API calls 66911->66915 66917 be97a0 66915->66917 66920 be97ad 66917->66920 67287 bbc860 44 API calls 66917->67287 66920->66776 66920->66923 66923->66821 66980 ad9e20 52 API calls 66979->66980 66981 c0c88c 66980->66981 66982 ad9ae0 2 API calls 66981->66982 66984 c0c892 66981->66984 66983 c0c8e8 66982->66983 66984->66699 66986 bd9e3e 66985->66986 66987 bd9e99 66986->66987 66988 bd9e58 WideCharToMultiByte 66986->66988 66987->66715 66989 bd9e95 66988->66989 66990 bd9e74 66988->66990 66989->66715 66991 bd9e7a WideCharToMultiByte 66990->66991 66991->66989 66993 bbcafb 66992->66993 66994 bbca54 66992->66994 66993->66732 67239 bbd3d0 42 API calls 4 library calls 66993->67239 66994->66993 67303 ad8f10 7 API calls 66994->67303 66996 bbca69 66996->66993 66997 bbca73 FindResourceW 66996->66997 66997->66993 66998 bbca87 66997->66998 67304 ad8fe0 LoadResource LockResource SizeofResource 66998->67304 67000 bbca91 67000->66993 67001 bbca9a WideCharToMultiByte 67000->67001 67001->66993 67002 bbcb06 67001->67002 67003 ad9ae0 2 API calls 67002->67003 67004 bbcb10 67003->67004 67006 ad9e20 52 API calls 67005->67006 67007 bde31e 67006->67007 67008 bde373 67007->67008 67011 bde324 67007->67011 67009 ad9ae0 2 API calls 67008->67009 67010 bde37d 67009->67010 67012 bde350 67011->67012 67014 bde343 67011->67014 67306 bd6130 46 API calls 67012->67306 67305 ad9120 50 API calls 67014->67305 67015 bde34e 67017 bd0e50 67015->67017 67020 bd0e95 67017->67020 67018 ad9e20 52 API calls 67019 bd0ea5 67018->67019 67021 bd0eb2 67019->67021 67022 bd0ef5 67019->67022 67020->67018 67020->67021 67307 bba570 67021->67307 67024 ad9ae0 2 API calls 67022->67024 67026 bd0eff 67024->67026 67025 bd0edf 67027 c0c8f0 67025->67027 67028 c0c933 67027->67028 67029 c0c91d 67027->67029 67030 aeb580 42 API calls 67028->67030 67029->66787 67031 c0c944 67030->67031 67321 c0d260 67031->67321 67033 c0c94f 67034 c0c988 CreateFileW 67033->67034 67035 c0c95c CreateNamedPipeW 67033->67035 67036 c0c9a3 67034->67036 67035->67034 67035->67036 67036->66787 67038 c0cf00 67037->67038 67039 c0cf16 67037->67039 67038->66798 67040 ad9e20 52 API calls 67039->67040 67041 c0cf1b 67040->67041 67042 c0d002 67041->67042 67043 c0cf25 67041->67043 67044 ad9ae0 2 API calls 67042->67044 67340 c0d010 67043->67340 67045 c0d00c 67044->67045 67047 c0cf47 67051 bfe0cd 67050->67051 67053 be90a8 67050->67053 67051->67053 67392 ae2a50 RaiseException 67051->67392 67053->66725 67053->66848 67054 bfe102 67056 ad9e20 52 API calls 67055->67056 67057 bf4f52 67056->67057 67058 bf4f5c GetLocaleInfoW 67057->67058 67059 bf500b 67057->67059 67065 bb5b30 54 API calls 67058->67065 67060 ad9ae0 2 API calls 67059->67060 67061 bf5015 MsgWaitForMultipleObjectsEx 67060->67061 67063 bf5047 67061->67063 67064 bf50b1 67061->67064 67067 bf50bb 67063->67067 67068 bf5065 PeekMessageW 67063->67068 67064->66781 67066 bf4f98 67065->67066 67069 bf4fb6 GetLocaleInfoW 67066->67069 67393 ad9790 42 API calls 67066->67393 67067->66781 67070 bf508d TranslateMessage DispatchMessageW 67068->67070 67071 bf509b MsgWaitForMultipleObjectsEx 67068->67071 67073 ad8d10 74 API calls 67069->67073 67070->67071 67071->67063 67071->67064 67075 bf4fd2 67073->67075 67074 bf4fb3 67074->67069 67075->66781 67077 bf4d00 43 API calls 67076->67077 67078 bf4357 67077->67078 67079 bf435d 67078->67079 67080 bf4373 67078->67080 67079->66880 67394 bf4930 138 API calls 67080->67394 67082 bf437e 67395 bf4b50 11 API calls _ValidateLocalCookies 67082->67395 67084 bf4399 67087 ad9e20 52 API calls 67084->67087 67105 bf440d 67084->67105 67085 bf4516 67398 ae2a50 RaiseException 67085->67398 67086 bf4465 67095 bf447a 67086->67095 67396 bf4530 55 API calls 67086->67396 67088 bf43b3 67087->67088 67091 bf43bd 67088->67091 67092 bf450c 67088->67092 67090 bf4522 67097 aeab80 117 API calls 67091->67097 67094 ad9ae0 2 API calls 67092->67094 67094->67085 67099 bf44aa 67095->67099 67397 bf4530 55 API calls 67095->67397 67098 bf43db 67097->67098 67100 bf4f10 81 API calls 67098->67100 67101 bf44c0 67099->67101 67102 c70746 __freea 13 API calls 67099->67102 67103 bf43e5 67100->67103 67101->66880 67102->67101 67104 aeab80 117 API calls 67103->67104 67103->67105 67104->67105 67105->67085 67105->67086 67106->66786 67107->66795 67108->66835 67109->66872 67237->66710 67238->66710 67239->66732 67241 bf3996 67240->67241 67242 bf3970 67240->67242 67665 ae2a50 RaiseException 67241->67665 67242->67241 67244 bf3982 DeleteFileW 67242->67244 67244->67241 67244->67242 67245 bf3a6c 67246 be8df5 67245->67246 67247 c70746 __freea 13 API calls 67245->67247 67246->66802 67247->67246 67248 bf3aa8 67672 ae2a50 RaiseException 67248->67672 67250 bf3ab4 67251 bf39b1 std::ios_base::_Ios_base_dtor 67251->67245 67251->67248 67666 c10480 67251->67666 67253->66803 67254->66814 67255->66833 67256->66726 67258 bf4d3e EnumResourceLanguagesW 67257->67258 67268 bf4e98 67257->67268 67259 bf4d7d 67258->67259 67260 bf4dce 67259->67260 67263 bf4ec8 67259->67263 67271 bf4e10 67259->67271 67261 bf4ddb 67260->67261 67262 bf4dd5 67260->67262 67673 c79151 14 API calls __Getctype 67261->67673 67265 c70746 __freea 13 API calls 67262->67265 67675 ae2a50 RaiseException 67263->67675 67265->67261 67266 bf4e76 67266->67268 67270 c70746 __freea 13 API calls 67266->67270 67268->66773 67270->67268 67272 bf4e4e 67271->67272 67674 aeb5f0 40 API calls 3 library calls 67271->67674 67272->67263 67272->67266 67274 bf4ed4 67274->66773 67276->66738 67277->66770 67278->66858 67280->66790 67281->66790 67282->66887 67283->66887 67284->66887 67285->66887 67286->66887 67287->66920 67288->66888 67289->66862 67290->66869 67291->66876 67292->66899 67293->66903 67294->66891 67295->66896 67302->66875 67303->66996 67304->67000 67305->67015 67306->67015 67308 bba586 67307->67308 67315 bba5c5 67307->67315 67309 bba5a1 67308->67309 67318 ad9870 42 API calls 67308->67318 67319 ad98e0 40 API calls 4 library calls 67309->67319 67310 ad9ae0 2 API calls 67316 bba5ea 67310->67316 67313 bba5b2 67320 ad98e0 40 API calls 4 library calls 67313->67320 67315->67310 67317 bba5d0 67315->67317 67316->67025 67317->67025 67318->67309 67319->67313 67320->67315 67322 ad9e20 52 API calls 67321->67322 67323 c0d29a 67322->67323 67324 c0d2a0 67323->67324 67325 c0d30a 67323->67325 67329 c0d2c2 67324->67329 67330 c0d2cd 67324->67330 67326 ad9ae0 2 API calls 67325->67326 67327 c0d314 67326->67327 67339 c0cb80 122 API calls std::_Locinfo::_Locinfo_dtor 67327->67339 67337 ad9120 50 API calls 67329->67337 67338 ad9990 42 API calls 3 library calls 67330->67338 67333 c0d2cb 67334 aeab80 117 API calls 67333->67334 67335 c0d2f5 67334->67335 67335->67033 67336 c0d358 67336->67033 67337->67333 67338->67333 67339->67336 67341 c0d094 ReadFile 67340->67341 67342 c0d049 ConnectNamedPipe 67340->67342 67343 c0d129 67341->67343 67344 c0d0bc 67341->67344 67342->67341 67345 c0d056 GetLastError 67342->67345 67348 ad9e20 52 API calls 67343->67348 67344->67343 67346 c0d0c1 67344->67346 67345->67341 67347 c0d06a 67345->67347 67350 ae6a60 62 API calls 67346->67350 67347->67341 67354 c0d073 67347->67354 67349 c0d12e 67348->67349 67351 c0d134 67349->67351 67352 c0d078 67349->67352 67353 c0d0cc 67350->67353 67360 c0d080 67351->67360 67355 ad9ae0 2 API calls 67352->67355 67352->67360 67356 ad9620 42 API calls 67353->67356 67357 ad9e20 52 API calls 67354->67357 67358 c0d16f 67355->67358 67359 c0d0de 67356->67359 67357->67352 67359->67047 67360->67047 67392->67054 67393->67074 67394->67082 67395->67084 67398->67090 67665->67251 67667 c104c0 67666->67667 67668 c104f5 67667->67668 67669 c104e4 FreeLibrary 67667->67669 67670 c10549 67668->67670 67671 c10538 CloseHandle 67668->67671 67669->67668 67670->67251 67671->67670 67672->67250 67674->67271 67675->67274 67676 c667b8 GetProcessHeap HeapAlloc 67677 c667d4 67676->67677 67678 c667d0 67676->67678 67686 c6654a 67677->67686 67680 c667df 67681 c667fb 67680->67681 67683 c667ef 67680->67683 67700 c66656 15 API calls std::locale::_Setgloballocale 67681->67700 67684 c66808 GetProcessHeap HeapFree 67683->67684 67685 c66819 67683->67685 67684->67678 67687 c66557 DecodePointer 67686->67687 67688 c66564 LoadLibraryExA 67686->67688 67687->67680 67689 c665f5 67688->67689 67690 c6657d 67688->67690 67689->67680 67701 c665fa GetProcAddress EncodePointer 67690->67701 67692 c6658d 67692->67689 67702 c665fa GetProcAddress EncodePointer 67692->67702 67694 c665a4 67694->67689 67703 c665fa GetProcAddress EncodePointer 67694->67703 67696 c665bb 67696->67689 67704 c665fa GetProcAddress EncodePointer 67696->67704 67698 c665d2 67698->67689 67699 c665d9 DecodePointer 67698->67699 67699->67689 67700->67683 67701->67692 67702->67694 67703->67696 67704->67698 67705 ae2891 67706 ae2917 67705->67706 67707 ae298b 67706->67707 67708 ae293c GetWindowLongW CallWindowProcW 67706->67708 67709 ae2926 CallWindowProcW 67706->67709 67708->67707 67710 ae2970 GetWindowLongW 67708->67710 67709->67707 67710->67707 67711 ae297d SetWindowLongW 67710->67711 67711->67707 67712 bf2380 67713 ad9e20 52 API calls 67712->67713 67717 bf23d5 67713->67717 67714 bf2df4 67715 ad9ae0 2 API calls 67714->67715 67716 bf2dfe 67715->67716 67717->67714 67718 ad9e20 52 API calls 67717->67718 67719 bf2414 67718->67719 67719->67714 67720 ad9e20 52 API calls 67719->67720 67721 bf2432 67720->67721 67721->67714 67722 bf2531 67721->67722 67805 bd4970 101 API calls _wcsrchr 67721->67805 67723 ad9e20 52 API calls 67722->67723 67761 bf256e std::locale::_Setgloballocale 67723->67761 67725 bf2463 67726 aeb580 42 API calls 67725->67726 67727 bf2470 67726->67727 67729 aeb580 42 API calls 67727->67729 67728 c66c49 std::_Facet_Register 2 API calls 67728->67761 67731 bf24c8 67729->67731 67806 bf2f30 101 API calls 67731->67806 67732 bf2b4e 67734 bf2b54 67732->67734 67735 bf2b73 CreateEventW 67732->67735 67736 bf2ba0 CreateThread 67732->67736 67737 bf2c55 CloseHandle 67734->67737 67758 bf2a9f 67734->67758 67742 bf2b8a 67735->67742 67740 bf2bcd 67736->67740 67741 bf2bd4 WaitForSingleObject GetExitCodeThread 67736->67741 67938 c106e0 180 API calls 67736->67938 67737->67758 67738 bf2c7e 67745 bbd800 13 API calls 67738->67745 67739 bf2c74 CloseHandle 67739->67738 67740->67741 67743 bf2bec 67741->67743 67744 bf2c14 67741->67744 67742->67736 67743->67734 67746 bf2c02 CloseHandle 67743->67746 67744->67734 67747 bf2c23 CloseHandle 67744->67747 67756 bf2cb3 std::ios_base::_Ios_base_dtor 67745->67756 67746->67734 67747->67734 67748 bf2d30 67751 c70746 __freea 13 API calls 67748->67751 67752 bf2d41 67748->67752 67749 bf2de8 67815 ae2a50 RaiseException 67749->67815 67751->67752 67753 c66c0a _ValidateLocalCookies 5 API calls 67752->67753 67755 bf2dd4 67753->67755 67754 c10480 2 API calls 67754->67756 67756->67748 67756->67749 67756->67754 67758->67738 67758->67739 67759 ad9e20 52 API calls 67759->67761 67760 bd0e50 54 API calls 67760->67761 67761->67714 67761->67728 67761->67749 67761->67758 67761->67759 67761->67760 67763 aeb580 42 API calls 67761->67763 67765 bf291d std::locale::_Setgloballocale 67761->67765 67772 bd58e0 134 API calls 67761->67772 67773 bd03b0 44 API calls 67761->67773 67774 bf2a9d 67761->67774 67775 c10560 67761->67775 67807 bd4970 101 API calls _wcsrchr 67761->67807 67808 c10600 CreateFileW 67761->67808 67762 bd0e50 54 API calls 67762->67765 67763->67761 67765->67761 67765->67762 67766 bf2946 FindFirstFileW 67765->67766 67769 aeb580 42 API calls 67765->67769 67770 c10600 181 API calls 67765->67770 67771 bf2aa8 67765->67771 67766->67765 67767 bf298a FindClose 67766->67767 67767->67765 67769->67765 67770->67765 67771->67758 67772->67761 67773->67761 67781 c115c0 67774->67781 67776 c10569 67775->67776 67777 c1056e LoadLibraryW 67775->67777 67776->67761 67778 c10587 67777->67778 67779 c105a1 67778->67779 67780 c105a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 67778->67780 67779->67761 67780->67761 67782 c11626 CreateThread 67781->67782 67783 c115f8 CreateEventW 67781->67783 67785 c1173c WaitForSingleObject GetExitCodeThread 67782->67785 67789 c11662 67782->67789 67934 c11980 67782->67934 67784 c1160d 67783->67784 67784->67782 67786 c11777 67785->67786 67787 c11769 CloseHandle 67785->67787 67786->67732 67787->67786 67788 c11720 67788->67785 67789->67788 67790 c1178d 67789->67790 67816 ae2a50 RaiseException 67790->67816 67792 c11799 67793 c117d1 WaitForSingleObject 67792->67793 67795 c117da 67792->67795 67793->67795 67794 c1196f 67817 ae2a50 RaiseException 67794->67817 67795->67794 67803 c11937 67795->67803 67804 c11827 67795->67804 67831 bf0ec0 67795->67831 67797 c1197b 67818 c117a0 67797->67818 67799 ae6a60 62 API calls 67799->67804 67801 bd58e0 134 API calls 67801->67804 67802 c11989 67802->67732 67803->67732 67804->67794 67804->67799 67804->67801 67804->67803 67805->67725 67806->67722 67807->67761 67810 c1062d 67808->67810 67809 c106a9 67809->67761 67810->67809 67811 ad9ae0 2 API calls 67810->67811 67812 c106db 67811->67812 67937 c106f0 180 API calls __freea 67812->67937 67814 c106e9 67814->67761 67815->67714 67816->67792 67817->67797 67819 c117d1 WaitForSingleObject 67818->67819 67821 c117da 67818->67821 67819->67821 67820 c1196f 67912 ae2a50 RaiseException 67820->67912 67821->67820 67824 bf0ec0 163 API calls 67821->67824 67829 c11937 67821->67829 67830 c11827 67821->67830 67823 c1197b 67826 c117a0 163 API calls 67823->67826 67824->67821 67825 ae6a60 62 API calls 67825->67830 67828 c11989 67826->67828 67827 bd58e0 134 API calls 67827->67830 67828->67802 67829->67802 67830->67820 67830->67825 67830->67827 67830->67829 67835 bf0ef5 67831->67835 67884 bf1050 67831->67884 67833 bf1682 67836 ad9ae0 2 API calls 67833->67836 67834 bf0f12 67834->67795 67835->67834 67838 ad9620 42 API calls 67835->67838 67835->67884 67837 bf168c 67836->67837 67839 ad9ae0 2 API calls 67837->67839 67840 bf0f74 67838->67840 67841 bf1696 67839->67841 67842 bd0e50 54 API calls 67840->67842 67843 bf0f93 67842->67843 67844 ae6a60 62 API calls 67843->67844 67845 bf0fab 67844->67845 67913 bd5b00 67845->67913 67848 bf0fe4 67849 bf107c 67848->67849 67850 bf1011 GetLastError 67848->67850 67852 bfdae0 6 API calls 67849->67852 67924 bd3200 76 API calls 67850->67924 67853 bf1089 67852->67853 67855 bf1180 67853->67855 67857 bf10b2 67853->67857 67854 bf1028 67856 bd54b0 101 API calls 67854->67856 67859 bf11ab 67855->67859 67865 bd54b0 101 API calls 67855->67865 67858 bf103c 67856->67858 67861 ad9e20 52 API calls 67857->67861 67857->67884 67925 bded40 74 API calls 67858->67925 67860 bf11d3 67859->67860 67862 bd03b0 44 API calls 67859->67862 67864 bd58e0 134 API calls 67860->67864 67866 bf10c4 67861->67866 67862->67860 67867 bf11e4 CreateFileW 67864->67867 67865->67859 67866->67833 67875 aeab80 117 API calls 67866->67875 67868 bf121c GetLastError 67867->67868 67869 bf1360 SetFilePointer 67867->67869 67926 bd3200 76 API calls 67868->67926 67870 bf1389 GetLastError 67869->67870 67887 bf1400 67869->67887 67929 bd3200 76 API calls 67870->67929 67873 bf1233 67876 bd54b0 101 API calls 67873->67876 67874 bf13a3 67878 bd54b0 101 API calls 67874->67878 67879 bf10ec 67875->67879 67877 bf1247 67876->67877 67927 bded40 74 API calls 67877->67927 67881 bf13b8 67878->67881 67882 bd0e50 54 API calls 67879->67882 67880 bf145a ReadFile 67880->67887 67893 bf14e4 67880->67893 67930 bded40 74 API calls 67881->67930 67892 bf10fa 67882->67892 67884->67795 67932 ae2a50 RaiseException 67884->67932 67885 bf125b 67894 bf1329 67885->67894 67898 ad9e20 52 API calls 67885->67898 67887->67880 67888 bf149f WriteFile 67887->67888 67887->67893 67887->67894 67888->67887 67888->67893 67889 bf152e CloseHandle 67890 bf1539 67889->67890 67891 bf1562 CreateFileW 67890->67891 67890->67894 67896 bf1599 67891->67896 67897 bf15c2 67891->67897 67892->67884 67895 aeab80 117 API calls 67892->67895 67893->67884 67893->67889 67893->67890 67894->67884 67899 bf1616 CloseHandle 67894->67899 67895->67884 67896->67894 67902 bf15e4 CloseHandle 67896->67902 67931 bf3ed0 41 API calls 3 library calls 67897->67931 67900 bf1291 67898->67900 67899->67884 67900->67837 67902->67894 67912->67823 67914 bd54b0 101 API calls 67913->67914 67915 bd5b44 67914->67915 67916 ae6a60 62 API calls 67915->67916 67917 bd5b53 PathIsUNCW 67916->67917 67918 bd5b73 _wcschr 67917->67918 67919 bd5beb PathFileExistsW 67918->67919 67920 bd5bd8 67918->67920 67933 ad9790 42 API calls 67918->67933 67919->67848 67920->67919 67921 ad9ae0 2 API calls 67920->67921 67922 bd5c12 67921->67922 67924->67854 67925->67884 67926->67873 67927->67885 67929->67874 67930->67894 67931->67896 67932->67833 67933->67920 67935 c117a0 164 API calls 67934->67935 67936 c11989 67935->67936 67937->67814

                                    Executed Functions

                                    Function 00BE8C40 Relevance: 24.5, APIs: 2, Strings: 11, Instructions: 1753COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                      • Part of subcall function 00AD9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,00AE6AC0,-00000010,?,00C11897,00000008,83C8296E), ref: 00AD9143
                                    • SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 00BE8E37
                                    • SetEvent.KERNEL32(?), ref: 00BE8E95
                                      • Part of subcall function 00BF3960: DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,83C8296E), ref: 00BF398B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: EventInit_thread_footer$DeleteFileFindHeapProcessResource
                                    • String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
                                    • API String ID: 4144826820-297406034
                                    • Opcode ID: 97c36776e3fe3c5f2379174cd22ae1005b3d926f2742e0aa7457d7a86dda72f9
                                    • Instruction ID: 564a0840c91b2a63aceb758468ef7a931042e6386cad5f0edd6cb4f45f5a1832
                                    • Opcode Fuzzy Hash: 97c36776e3fe3c5f2379174cd22ae1005b3d926f2742e0aa7457d7a86dda72f9
                                    • Instruction Fuzzy Hash: 57E2CF30900649DFDB00DBA9C949BAEF7F5EF44314F1482A9E415EB392EB749D09CBA1
                                    Function 00AEAB80 Relevance: 23.6, APIs: 10, Strings: 3, Instructions: 895fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindClose.KERNEL32(00000000), ref: 00AEACA2
                                    • PathIsUNCW.SHLWAPI(?,*.*), ref: 00AEAD03
                                    • FindFirstFileW.KERNEL32(?,00000000,*.*), ref: 00AEAF4E
                                    • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 00AEAF68
                                    • GetFullPathNameW.KERNEL32(?,00000000,?,00000000), ref: 00AEAF9B
                                    • FindClose.KERNEL32(00000000), ref: 00AEB00C
                                    • SetLastError.KERNEL32(0000007B), ref: 00AEB016
                                    • _wcsrchr.LIBVCRUNTIME ref: 00AEB06C
                                    • _wcsrchr.LIBVCRUNTIME ref: 00AEB08C
                                    • PathIsUNCW.SHLWAPI(?,?,83C8296E,?,00000000), ref: 00AEB24B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Path$Find$CloseFullName_wcsrchr$ErrorFileFirstLast
                                    • String ID: *.*$\\?\$\\?\UNC\
                                    • API String ID: 1241272779-1700010636
                                    • Opcode ID: e86d6843db7c572e4b627b9803635e21070213f7a7d9bc3732f2f028e2a3b8ae
                                    • Instruction ID: 7f16d16f50e3eaccb427195ce0c3de62f30626dc2ba560771b9a4b1e37395286
                                    • Opcode Fuzzy Hash: e86d6843db7c572e4b627b9803635e21070213f7a7d9bc3732f2f028e2a3b8ae
                                    • Instruction Fuzzy Hash: 6162F031A006569FDB14DF69C989BAFB7B5FF54310F148269E816DB3A1DB31E900CBA0
                                    Function 00C0C120 Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 550COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1224 c0c120-c0c14d 1225 c0c165-c0c16e call ad9e20 1224->1225 1226 c0c14f-c0c162 1224->1226 1229 c0c174-c0c1b2 call ad8d10 1225->1229 1230 c0c33a-c0c389 call ad9ae0 call ad9e20 1225->1230 1240 c0c1b4 1229->1240 1241 c0c1b7-c0c1d2 1229->1241 1238 c0c539-c0c53e call ad9ae0 1230->1238 1239 c0c38f-c0c3a6 1230->1239 1245 c0c543-c0c55a call ad9ae0 1238->1245 1248 c0c3b0-c0c3c3 1239->1248 1240->1241 1246 c0c2f5 1241->1246 1247 c0c1d8-c0c1e4 1241->1247 1258 c0c560-c0c569 1245->1258 1259 c0c736-c0c73b 1245->1259 1250 c0c2f7-c0c300 1246->1250 1247->1246 1261 c0c1ea-c0c1f6 1247->1261 1251 c0c3d2-c0c3d6 1248->1251 1252 c0c3c5-c0c3cf call ad9870 1248->1252 1255 c0c302 1250->1255 1256 c0c305-c0c31a 1250->1256 1260 c0c3de-c0c3e3 1251->1260 1252->1251 1255->1256 1265 c0c324-c0c337 1256->1265 1266 c0c31c-c0c31f 1256->1266 1263 c0c5d2-c0c5d7 1258->1263 1264 c0c56b-c0c5b2 call bd1f70 SetWindowTextW call b35a70 GetDlgItem SendMessageW 1258->1264 1267 c0c501 1260->1267 1268 c0c3e9-c0c3eb 1260->1268 1269 c0c1f8 1261->1269 1270 c0c1fb-c0c211 1261->1270 1263->1259 1271 c0c5dd-c0c5ec 1263->1271 1295 c0c5b6-c0c5cf 1264->1295 1266->1265 1275 c0c503-c0c51b 1267->1275 1268->1267 1274 c0c3f1-c0c404 call c708fb 1268->1274 1269->1270 1291 c0c213-c0c215 1270->1291 1292 c0c21a-c0c23b 1270->1292 1276 c0c649-c0c651 1271->1276 1277 c0c5ee-c0c621 GetDlgItem * 2 SendMessageW 1271->1277 1274->1245 1296 c0c40a-c0c410 1274->1296 1280 c0c525-c0c538 1275->1280 1281 c0c51d-c0c520 1275->1281 1285 c0c653-c0c673 EndDialog 1276->1285 1286 c0c676-c0c67e 1276->1286 1282 c0c623-c0c625 1277->1282 1283 c0c627-c0c62b 1277->1283 1281->1280 1290 c0c62c-c0c644 SendMessageW 1282->1290 1283->1290 1286->1259 1287 c0c684-c0c697 GetDlgItem 1286->1287 1293 c0c699-c0c6a5 1287->1293 1294 c0c70d-c0c710 call ad96e0 1287->1294 1290->1295 1297 c0c2e5-c0c2ee 1291->1297 1303 c0c244-c0c272 call be3270 1292->1303 1304 c0c23d-c0c23f 1292->1304 1310 c0c6ab-c0c6bd 1293->1310 1311 c0c73e-c0c75d call ad9ae0 call c0c770 1293->1311 1306 c0c715-c0c733 EndDialog 1294->1306 1296->1245 1299 c0c416-c0c429 call ad9e20 1296->1299 1297->1250 1300 c0c2f0-c0c2f3 1297->1300 1299->1238 1318 c0c42f-c0c457 1299->1318 1300->1250 1325 c0c274-c0c283 call c674c5 1303->1325 1326 c0c285-c0c2bf call ad9e20 call adebf0 call aeb580 1303->1326 1304->1297 1315 c0c6c8-c0c6d8 1310->1315 1316 c0c6bf-c0c6c3 call ad9870 1310->1316 1337 c0c76a-c0c76d 1311->1337 1338 c0c75f-c0c767 call c66c18 1311->1338 1327 c0c6f3-c0c6f5 1315->1327 1328 c0c6da-c0c6df 1315->1328 1316->1315 1330 c0c466-c0c487 call c708fb 1318->1330 1331 c0c459-c0c463 call ad9870 1318->1331 1348 c0c2d8-c0c2de 1325->1348 1358 c0c2c1-c0c2c4 1326->1358 1359 c0c2c9-c0c2d6 call c674c5 1326->1359 1327->1311 1332 c0c6f7-c0c6fd 1327->1332 1335 c0c6e1-c0c6e3 1328->1335 1336 c0c6e5-c0c6f1 call c708fb 1328->1336 1330->1245 1354 c0c48d-c0c490 1330->1354 1331->1330 1332->1311 1341 c0c6ff-c0c70b 1332->1341 1335->1332 1336->1327 1338->1337 1341->1306 1348->1297 1354->1245 1356 c0c496-c0c4ac call ade790 1354->1356 1364 c0c4d2-c0c4d7 1356->1364 1365 c0c4ae-c0c4bf 1356->1365 1358->1359 1359->1348 1368 c0c4e2-c0c4f3 1364->1368 1369 c0c4d9-c0c4dd call aeb580 1364->1369 1366 c0c4c1-c0c4c4 1365->1366 1367 c0c4c9-c0c4cd 1365->1367 1366->1367 1367->1248 1370 c0c4f5-c0c4f8 1368->1370 1371 c0c4fd-c0c4ff 1368->1371 1369->1368 1370->1371 1371->1275
                                    Strings
                                    • PackageCode, xrefs: 00C0C46B
                                    • SELECT `Value` FROM `Property` WHERE `Property` = '%s', xrefs: 00C0C18E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PackageCode$SELECT `Value` FROM `Property` WHERE `Property` = '%s'
                                    • API String ID: 0-2409377028
                                    • Opcode ID: eba538ee9e4b18cc068dbc2577748dbbb0ca2e394d6acbdaa926d065403fd7ee
                                    • Instruction ID: b404c4ffd2b74283da6c501df3d6b3dbbaf48180b266c0493a57a6890891a116
                                    • Opcode Fuzzy Hash: eba538ee9e4b18cc068dbc2577748dbbb0ca2e394d6acbdaa926d065403fd7ee
                                    • Instruction Fuzzy Hash: D312B271A006059FDB10DFA8DC89BAEBBA4FF44310F144269F915EB2E1DB75DA40CB61
                                    Function 00BFFD20 Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1373 bffd20-bffd7d GetCurrentProcess OpenProcessToken 1375 bffd7f-bffd87 GetLastError 1373->1375 1376 bffd8c-bffdad GetTokenInformation 1373->1376 1377 bffe4a-bffe5d 1375->1377 1378 bffdaf-bffdb8 GetLastError 1376->1378 1379 bffddb-bffddf 1376->1379 1380 bffe5f-bffe66 CloseHandle 1377->1380 1381 bffe6d-bffe89 call c66c0a 1377->1381 1382 bffe2e GetLastError 1378->1382 1383 bffdba-bffdd9 call bf3ac0 GetTokenInformation 1378->1383 1379->1382 1384 bffde1-bffe10 AllocateAndInitializeSid 1379->1384 1380->1381 1385 bffe34 1382->1385 1383->1379 1383->1382 1384->1385 1386 bffe12-bffe2c EqualSid FreeSid 1384->1386 1389 bffe36-bffe43 call c674c5 1385->1389 1386->1389 1389->1377
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00BFFD68
                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00BFFD75
                                    • GetLastError.KERNEL32 ref: 00BFFD7F
                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00BFFDA9
                                    • GetLastError.KERNEL32 ref: 00BFFDAF
                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 00BFFDD5
                                    • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BFFE08
                                    • EqualSid.ADVAPI32(00000000,?), ref: 00BFFE17
                                    • FreeSid.ADVAPI32(?), ref: 00BFFE26
                                    • CloseHandle.KERNEL32(00000000), ref: 00BFFE60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
                                    • String ID:
                                    • API String ID: 695978879-0
                                    • Opcode ID: 0c6c02922d3b8abd41d6f91b7519fd381e2425ada7cd46b482a3bf410a4e39f4
                                    • Instruction ID: 89bbadadc25af9234d85b73e2f5425016478a5982346e9f966379dfe8eb6a5c7
                                    • Opcode Fuzzy Hash: 0c6c02922d3b8abd41d6f91b7519fd381e2425ada7cd46b482a3bf410a4e39f4
                                    • Instruction Fuzzy Hash: C9412775D0021AEBDF10DFA4DC88BEEBBB8EF08315F504069E511B72A1E7759A08CB65
                                    Function 00C10560 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1535 c10560-c10567 1536 c10569-c1056b 1535->1536 1537 c1056e-c10585 LoadLibraryW 1535->1537 1538 c10587-c10597 1537->1538 1539 c1059d-c1059f 1537->1539 1538->1539 1540 c105a1-c105a4 1539->1540 1541 c105a7-c105f9 GetProcAddress * 4 1539->1541
                                    APIs
                                    • LoadLibraryW.KERNEL32(?,00000000,00BF26CB,?,?,?,?,?), ref: 00C10575
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
                                    • API String ID: 1029625771-3462492388
                                    • Opcode ID: e6d988fe8a3691904cb5d5a4dff694fd2d2c470cf3ef45a728896f313340476b
                                    • Instruction ID: 7cdea9a144bc9989077586f31c496cb9c4ad00a191287b111652a1c91b0d51f7
                                    • Opcode Fuzzy Hash: e6d988fe8a3691904cb5d5a4dff694fd2d2c470cf3ef45a728896f313340476b
                                    • Instruction Fuzzy Hash: F8014C75A00351EFCB24AB20AC08E857F61F748315B00442AF62AD3360FAB588D4DFB0
                                    Function 00BF2380 Relevance: 15.7, APIs: 10, Instructions: 744COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapProcess
                                    • String ID:
                                    • API String ID: 275895251-0
                                    • Opcode ID: 262c03e9387e9bb505356ebf4331c5d302bea5603bb06fbab8d6b4ae9228348d
                                    • Instruction ID: 082ae91a5f04bf7743de65879b70fd46e263e45839e58e2e207a2600bbe2e195
                                    • Opcode Fuzzy Hash: 262c03e9387e9bb505356ebf4331c5d302bea5603bb06fbab8d6b4ae9228348d
                                    • Instruction Fuzzy Hash: 1462AE3090064DDFDB14DFA8C984BAEBBF4FF05314F2482A9E515AB291DB74AD49CB90
                                    Function 00BF4F10 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1840 bf4f10-bf4f56 call ad9e20 1843 bf4f5c-bf4fa6 GetLocaleInfoW call bb5b30 1840->1843 1844 bf500b-bf5045 call ad9ae0 MsgWaitForMultipleObjectsEx 1840->1844 1855 bf4fa8-bf4fb3 call ad9790 1843->1855 1856 bf4fb6-bf4fed GetLocaleInfoW call ad8d10 1843->1856 1848 bf5047-bf5059 1844->1848 1849 bf50b1-bf50ba 1844->1849 1851 bf5060-bf5063 1848->1851 1853 bf50bb-bf50c4 1851->1853 1854 bf5065-bf508b PeekMessageW 1851->1854 1857 bf508d-bf5099 TranslateMessage DispatchMessageW 1854->1857 1858 bf509b-bf50af MsgWaitForMultipleObjectsEx 1854->1858 1855->1856 1863 bf4fef-bf4ff2 1856->1863 1864 bf4ff7-bf500a 1856->1864 1857->1858 1858->1849 1858->1851 1863->1864
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • GetLocaleInfoW.KERNEL32(?,00000002,00CF438C,00000000), ref: 00BF4F81
                                    • GetLocaleInfoW.KERNEL32(?,00000002,000000FF,-00000001,00000078,-00000001), ref: 00BF4FBD
                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00BF5041
                                    • PeekMessageW.USER32(?,00000000), ref: 00BF5087
                                    • TranslateMessage.USER32(00000000), ref: 00BF5092
                                    • DispatchMessageW.USER32(00000000), ref: 00BF5099
                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00BF50AB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Message$InfoInit_thread_footerLocaleMultipleObjectsWait$DispatchHeapPeekProcessTranslate
                                    • String ID: %d-%s
                                    • API String ID: 445213441-1781338863
                                    • Opcode ID: 128d8e72fa6dd94623cec4ecc23185c2005360b9fe861835319f2d1dc5de38b5
                                    • Instruction ID: 37a283932417a66824425ec5a23ac2d9f43fe9dc099e02733054553aa03233c0
                                    • Opcode Fuzzy Hash: 128d8e72fa6dd94623cec4ecc23185c2005360b9fe861835319f2d1dc5de38b5
                                    • Instruction Fuzzy Hash: 5251C071A00709ABE710DFA4DC45FAFB7E8EF44724F104269F614E72D1EB7199448BA1
                                    Function 00C0B490 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 161COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2016 c0b490-c0b522 GetUserNameW 2017 c0b524-c0b52d GetLastError 2016->2017 2018 c0b56e-c0b5ac GetEnvironmentVariableW 2016->2018 2017->2018 2019 c0b52f-c0b537 2017->2019 2020 c0b5f2-c0b5fc 2018->2020 2021 c0b5ae-c0b5b3 2018->2021 2022 c0b539-c0b54d 2019->2022 2023 c0b54f-c0b557 call b036c0 2019->2023 2026 c0b607-c0b60d 2020->2026 2027 c0b5fe-c0b605 2020->2027 2024 c0b5b5-c0b5c9 2021->2024 2025 c0b5cb-c0b5d5 call b036c0 2021->2025 2029 c0b55c-c0b56c GetUserNameW 2022->2029 2023->2029 2031 c0b5da-c0b5ec GetEnvironmentVariableW 2024->2031 2025->2031 2028 c0b610-c0b639 2026->2028 2027->2028 2033 c0b648-c0b6a7 call ad7070 * 2 call ad78d0 * 2 call c66c0a 2028->2033 2034 c0b63b-c0b643 call ad7160 2028->2034 2029->2018 2031->2020 2034->2033
                                    APIs
                                    • GetUserNameW.ADVAPI32(00000000,?), ref: 00C0B51E
                                    • GetLastError.KERNEL32 ref: 00C0B524
                                    • GetUserNameW.ADVAPI32(00000000,?), ref: 00C0B56C
                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00C0B5A2
                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00C0B5EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: EnvironmentNameUserVariable$ErrorLast
                                    • String ID: UserDomain
                                    • API String ID: 3567734997-2275544873
                                    • Opcode ID: b0bd490dcafbaed3ca7ca5a931c005715cc29875ae58f788932b0395f3d43ab2
                                    • Instruction ID: 0a5caf8cf69a771167fbc8f071a96a3a7c0fd5ed630bb481982cdfc2dc25fcda
                                    • Opcode Fuzzy Hash: b0bd490dcafbaed3ca7ca5a931c005715cc29875ae58f788932b0395f3d43ab2
                                    • Instruction Fuzzy Hash: 23610671910209DFDF14DFA8C959BEEBBF4FF08704F544129E402A7280DB75AA49CBA1
                                    Function 00C115C0 Relevance: 9.3, APIs: 6, Instructions: 329synchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,83C8296E,?,?,00000000,?,?,?,?,00CD804D,000000FF,?,00BF2B4E), ref: 00C11600
                                    • CreateThread.KERNEL32(00000000,00000000,00C11980,?,00000000,?), ref: 00C11636
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00C1173F
                                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 00C1174A
                                    • CloseHandle.KERNEL32(00000000), ref: 00C1176A
                                      • Part of subcall function 00AE2A50: RaiseException.KERNEL32(83C8296E,83C8296E,00000000,00000000,00C1197B,C000008C,00000001,83C8296E), ref: 00AE2A5C
                                    • WaitForSingleObject.KERNEL32(?,000000FF,83C8296E,00000000,?,?,00000001), ref: 00C117D4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CreateObjectSingleThreadWait$CloseCodeEventExceptionExitHandleRaise
                                    • String ID:
                                    • API String ID: 4001640722-0
                                    • Opcode ID: ee54816b12dfaab49be37cfef13a5b5abfd386c71fca33380a354a7b6c1d7303
                                    • Instruction ID: d54c69541f4595ff28a83f147acbb3354d8fcf9ee1537e2380b50645f43b0b5f
                                    • Opcode Fuzzy Hash: ee54816b12dfaab49be37cfef13a5b5abfd386c71fca33380a354a7b6c1d7303
                                    • Instruction Fuzzy Hash: 38D14B75A006059FCB14CF69C884BAEB7F5FF49310F198269E926EB3A1D734E940DB90
                                    Function 00B92620 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00B92661
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • _wcschr.LIBVCRUNTIME ref: 00B9271F
                                      • Part of subcall function 00AD9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,00AE6AC0,-00000010,?,00C11897,00000008,83C8296E), ref: 00AD9143
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 00B92734
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem_wcschr
                                    • String ID: Kernel32.dll
                                    • API String ID: 1122257418-1926710522
                                    • Opcode ID: 9977c86786f612d274f2eb3a073f4671cb08bdda6bcf12d6594fc9e04d1858bb
                                    • Instruction ID: 3bdb616c8addcd34d51aa09bf2230f2bb74966ddf19d9925fda1f44e0d16d16d
                                    • Opcode Fuzzy Hash: 9977c86786f612d274f2eb3a073f4671cb08bdda6bcf12d6594fc9e04d1858bb
                                    • Instruction Fuzzy Hash: C4A18CB0900745EFEB14CF64C958B9ABBF4FF04318F10865DD4199B781D7BAAA18CB91
                                    Function 00BFDAE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BFDBBA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: DiskFreeSpace
                                    • String ID: \$\$\
                                    • API String ID: 1705453755-3791832595
                                    • Opcode ID: 7fefe1cf9d01f6efd8a850b7ae7608810e7ba2318ad62104365313a6f39311d5
                                    • Instruction ID: bf6c762db40b585fa81a5b684cbd66cccdb80513d0ddf76918f095dd876229c8
                                    • Opcode Fuzzy Hash: 7fefe1cf9d01f6efd8a850b7ae7608810e7ba2318ad62104365313a6f39311d5
                                    • Instruction Fuzzy Hash: CB41E662A0425987CB30DF2484406BBB7F2FF99354F164AAEEAC8D7141F77188898386
                                    Function 00C667B8 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000008,?,00AE0E77,?,?,00AE0C24,?), ref: 00C667BD
                                    • HeapAlloc.KERNEL32(00000000,?,?,00AE0C24,?), ref: 00C667C4
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00AE0C24,?), ref: 00C6680A
                                    • HeapFree.KERNEL32(00000000,?,?,00AE0C24,?), ref: 00C66811
                                      • Part of subcall function 00C66656: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00C66800,00000000,?,?,00AE0C24,?), ref: 00C6667A
                                      • Part of subcall function 00C66656: HeapAlloc.KERNEL32(00000000,?,?,00AE0C24,?), ref: 00C66681
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Heap$Process$Alloc$Free
                                    • String ID:
                                    • API String ID: 1864747095-0
                                    • Opcode ID: ade0aa533bcd330b618101679cd641a6aebf9066133dfd7d8e7dc6262932c3fc
                                    • Instruction ID: 836b5f05c6876b11ae52a62458b1797ab42639bf145e66fae643161fe4b0cd33
                                    • Opcode Fuzzy Hash: ade0aa533bcd330b618101679cd641a6aebf9066133dfd7d8e7dc6262932c3fc
                                    • Instruction Fuzzy Hash: 9AF0B4726447629BCB312BB9BC89B5F3AA5EF88B61B014428F146CB244DE30C80197A1
                                    Function 00BD5370 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,00000000), ref: 00BD540D
                                    • FindClose.KERNEL32(00000000), ref: 00BD546C
                                      • Part of subcall function 00AD9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Find$AllocateCloseFileFirstHeap
                                    • String ID:
                                    • API String ID: 1673784098-0
                                    • Opcode ID: 42db23034d59f8e055ba8c8be62dfeb68c066e384f747620330c1d84a92b7f46
                                    • Instruction ID: c56ef11eebfcfe9ac3a311088776801e5735480a006bd0fc78babbfe6a53009b
                                    • Opcode Fuzzy Hash: 42db23034d59f8e055ba8c8be62dfeb68c066e384f747620330c1d84a92b7f46
                                    • Instruction Fuzzy Hash: 4131A171904A14DBCB34DF54C888B9AF7F4EF44325F20819AD95A97380E7715984CF95
                                    Function 00BF3220 Relevance: 3.4, APIs: 2, Instructions: 374COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapProcess
                                    • String ID:
                                    • API String ID: 275895251-0
                                    • Opcode ID: bbae38fa99221675390b4cc4613b8241cfea32b3ba5bc70d34af6ef2a8cbd9f3
                                    • Instruction ID: a260a150751a00df65ca71f9989ffed9d08b92531e2fcb339c428011d7595764
                                    • Opcode Fuzzy Hash: bbae38fa99221675390b4cc4613b8241cfea32b3ba5bc70d34af6ef2a8cbd9f3
                                    • Instruction Fuzzy Hash: 98E17070A01649EFDB14DFA8C884BAEB7F4FF44314F1481A9E915EB391DB74AA09CB50
                                    Function 00BD4DA0 Relevance: 3.1, APIs: 2, Instructions: 126COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0baef228ec8b1f587fb78641fb6ac4b3e3efd37a228a26e2ed177841a07065a5
                                    • Instruction ID: 12b65559c5f764d7967dd7f4f3aaa4ec37e57b0dcf8a18f4f76007e5b37361ec
                                    • Opcode Fuzzy Hash: 0baef228ec8b1f587fb78641fb6ac4b3e3efd37a228a26e2ed177841a07065a5
                                    • Instruction Fuzzy Hash: 41419230501689DFDB28DF58C995BEDB3A4FF44320F5086AAE819973E1EB709E04CB50
                                    Function 00C0C8F0 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,83C8296E,83C8296E,?,?,?,?,00000000), ref: 00C0C979
                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,83C8296E,83C8296E,?,?,?,?,00000000,Function_001BEE85), ref: 00C0C99A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Create$FileNamedPipe
                                    • String ID:
                                    • API String ID: 1328467360-0
                                    • Opcode ID: b8895e236b3b48bd4ab69f8875a4bfdf48bb43d06cbd02f4e183b8d94543081c
                                    • Instruction ID: 30f707db679e24d11a566c7ef196fb1353cc1741b73a3bac6f80f7932d1cbe13
                                    • Opcode Fuzzy Hash: b8895e236b3b48bd4ab69f8875a4bfdf48bb43d06cbd02f4e183b8d94543081c
                                    • Instruction Fuzzy Hash: DE310631A88745BFE730CF14CC45B9ABBA4EB01720F10872EF9A59B6D0D771A900CB54
                                    Function 00B02530 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • __set_se_translator.LIBVCRUNTIME ref: 00B02548
                                    • SetUnhandledExceptionFilter.KERNEL32(00BD17A0), ref: 00B0255E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled__set_se_translator
                                    • String ID:
                                    • API String ID: 2480343447-0
                                    • Opcode ID: 32723752663bc74678dc90bd1534006773514c9192888fd264d852bf5abaa9e0
                                    • Instruction ID: 2b96e5e96299d57c52822ed54f01b3c1fb9a433438ceec2cec2924393a568a65
                                    • Opcode Fuzzy Hash: 32723752663bc74678dc90bd1534006773514c9192888fd264d852bf5abaa9e0
                                    • Instruction Fuzzy Hash: DEE02672A083803EC31097949C4EF0A7F90EB95710F044886F608A3261D77058458771
                                    Function 00C17B10 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BD3860: __Init_thread_footer.LIBCMT ref: 00BD3940
                                    • CoCreateInstance.COMBASE(00CF41E8,00000000,00000001,00D10588,000000B0), ref: 00C17B8E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CreateInit_thread_footerInstance
                                    • String ID:
                                    • API String ID: 3436645735-0
                                    • Opcode ID: b3a951e21b73fc50554bf1e867ec312576fee4eb677cf936eaab762a02fc51db
                                    • Instruction ID: 7348b72525280fa7a37f4cc440ca49e7103ae532f7b953d5faeeee177d978ca8
                                    • Opcode Fuzzy Hash: b3a951e21b73fc50554bf1e867ec312576fee4eb677cf936eaab762a02fc51db
                                    • Instruction Fuzzy Hash: 9B11A171604745EFD720CF59E804B96BBF4EB05B10F10466EE8259B7C0D7B66544CBA1
                                    Function 00BAC150 Relevance: .5, Instructions: 507COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6d8f2ec5d65d546f277d6f47be0f5072617d773a122ac50e1c52c0e79f9b35b5
                                    • Instruction ID: 437de7ad98f60949993536d2d98206de190695b9b2d0e773df1acb1292223e40
                                    • Opcode Fuzzy Hash: 6d8f2ec5d65d546f277d6f47be0f5072617d773a122ac50e1c52c0e79f9b35b5
                                    • Instruction Fuzzy Hash: B302C472E046159FCB18DF6CD881AAEBBF5EB49310F14866EE815E7390E730AD45CB90
                                    Function 00C12390 Relevance: .2, Instructions: 154COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$CreateHeapInstanceProcess
                                    • String ID:
                                    • API String ID: 3807588171-0
                                    • Opcode ID: b003b1c4fe7ff1dd99b96dcd81c3d870826936d5cafe0903105abd276c4ed5d8
                                    • Instruction ID: 12616af8220d801c90cf2013363fd2cd5bc105ce3d55f81e9b32cc75669bcfff
                                    • Opcode Fuzzy Hash: b003b1c4fe7ff1dd99b96dcd81c3d870826936d5cafe0903105abd276c4ed5d8
                                    • Instruction Fuzzy Hash: 516132B0500745DFEB50DF64C14838ABBF0BF09308F108A5DD49A9B392DBB5A689DB91
                                    Function 00BD3B70 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247registrylibraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00BD3BDE
                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00BD3C25
                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00BD3C44
                                    • RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00BD3C73
                                    • RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00BD3CE8
                                    • RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 00BD3D51
                                    • RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00BD3DB4
                                    • RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00BD3E06
                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00BD3EA3
                                    • GetProcAddress.KERNEL32(00000000), ref: 00BD3EAA
                                    • __Init_thread_footer.LIBCMT ref: 00BD3EBE
                                    • GetCurrentProcess.KERNEL32(?), ref: 00BD3EE1
                                    • IsWow64Process.KERNEL32(00000000), ref: 00BD3EE8
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD3F22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
                                    • String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
                                    • API String ID: 1906320730-525127412
                                    • Opcode ID: f45adb456709d51a7ea931ef43815bb23130a9d485b9937363cabd2c44cd54eb
                                    • Instruction ID: dfb5114db01fe9da4b646bfa568477615412d4ee42e98ac79b259bdc6368745d
                                    • Opcode Fuzzy Hash: f45adb456709d51a7ea931ef43815bb23130a9d485b9937363cabd2c44cd54eb
                                    • Instruction Fuzzy Hash: 46A16171904718DEDB20DF14CC45B9AB7F4FB04B15F0441EAE549E62D1EB74AA88CFA1
                                    Function 00BD3F50 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 51 bd3f50-bd3fc8 RegOpenKeyExW 53 bd3fce-bd3fff RegQueryValueExW 51->53 54 bd4232-bd424b 51->54 57 bd404f-bd407a RegQueryValueExW 53->57 58 bd4001-bd4013 call bd9fe0 53->58 55 bd424d-bd4254 RegCloseKey 54->55 56 bd425e-bd4279 call c66c0a 54->56 55->56 57->54 59 bd4080-bd4091 57->59 67 bd4015-bd4022 58->67 68 bd4024-bd403b call bd9fe0 58->68 62 bd409d-bd409f 59->62 63 bd4093-bd409b 59->63 62->54 66 bd40a5-bd40ac 62->66 63->62 63->63 69 bd40b0-bd40be call bd9fe0 66->69 71 bd404a 67->71 74 bd403d 68->74 75 bd4042-bd4048 68->75 77 bd40c9-bd40d7 call bd9fe0 69->77 78 bd40c0-bd40c4 69->78 71->57 74->75 75->71 83 bd40d9-bd40dd 77->83 84 bd40e2-bd40f0 call bd9fe0 77->84 79 bd4204 78->79 81 bd420b-bd4218 79->81 85 bd422a-bd422c 81->85 86 bd421a 81->86 83->79 90 bd40fb-bd4109 call bd9fe0 84->90 91 bd40f2-bd40f6 84->91 85->54 85->69 88 bd4220-bd4228 86->88 88->85 88->88 94 bd410b-bd410f 90->94 95 bd4114-bd4122 call bd9fe0 90->95 91->79 94->79 98 bd412d-bd413b call bd9fe0 95->98 99 bd4124-bd4128 95->99 102 bd413d-bd4141 98->102 103 bd4146-bd4154 call bd9fe0 98->103 99->79 102->79 106 bd415f-bd416d call bd9fe0 103->106 107 bd4156-bd415a 103->107 110 bd416f-bd4174 106->110 111 bd4179-bd4187 call bd9fe0 106->111 107->79 112 bd4201 110->112 115 bd4189-bd418e 111->115 116 bd4190-bd419e call bd9fe0 111->116 112->79 115->112 119 bd41a7-bd41b5 call bd9fe0 116->119 120 bd41a0-bd41a5 116->120 123 bd41be-bd41cc call bd9fe0 119->123 124 bd41b7-bd41bc 119->124 120->112 127 bd41ce-bd41d3 123->127 128 bd41d5-bd41e3 call bd9fe0 123->128 124->112 127->112 131 bd41ec-bd41fa call bd9fe0 128->131 132 bd41e5-bd41ea 128->132 131->81 135 bd41fc 131->135 132->112 135->112
                                    APIs
                                    • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00BD3FC0
                                    • RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 00BD3FFB
                                    • RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00BD4076
                                    • RegCloseKey.KERNEL32(00000000), ref: 00BD424E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
                                    • API String ID: 1586453840-3149529848
                                    • Opcode ID: 879459f1782bb4f4e00d2883de4eacca07da8935537c597a3ee25b265f86aec8
                                    • Instruction ID: 2fb571bf4da18b2e49ac3a004a24fe03207df04e6f70dafeb3d19ddf8b361fc8
                                    • Opcode Fuzzy Hash: 879459f1782bb4f4e00d2883de4eacca07da8935537c597a3ee25b265f86aec8
                                    • Instruction Fuzzy Hash: 9C7190307043089BDB209B60CD81BAAF6E5EB51354F1040FBE919EB795FB34DD898B61
                                    Function 00BF5820 Relevance: 37.0, APIs: 2, Strings: 19, Instructions: 220COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 136 bf5820-bf585f 137 bf58a4-bf58af 136->137 138 bf5861-bf5875 call c67112 136->138 140 bf58f4-bf591c call bd3ad0 137->140 141 bf58b1-bf58c5 call c67112 137->141 138->137 145 bf5877-bf58a1 call bf5d10 call c66fca call c670c8 138->145 149 bf5922-bf5929 140->149 150 bf59c1-bf59c3 140->150 141->140 151 bf58c7-bf58f1 call bf6600 call c66fca call c670c8 141->151 145->137 153 bf5930-bf5936 149->153 154 bf59c8-bf59ce 150->154 151->140 157 bf5938-bf593b 153->157 158 bf5956-bf5958 153->158 159 bf59ee-bf59f0 154->159 160 bf59d0-bf59d3 154->160 167 bf593d-bf5945 157->167 168 bf5952-bf5954 157->168 169 bf595b-bf595d 158->169 165 bf59f3-bf59f5 159->165 162 bf59ea-bf59ec 160->162 163 bf59d5-bf59dd 160->163 162->165 163->159 170 bf59df-bf59e8 163->170 172 bf59fb-bf5a04 call ad9e20 165->172 173 bf5ac3 165->173 167->158 175 bf5947-bf5950 167->175 168->169 169->173 176 bf5963-bf596a call ad9e20 169->176 170->154 170->162 186 bf5ae8-bf5aed call ad9ae0 172->186 189 bf5a0a-bf5a26 172->189 179 bf5ac5-bf5ae7 call bbd800 173->179 175->153 175->168 176->186 187 bf5970-bf598e 176->187 192 bf5af2-bf5aff call ae2a50 186->192 194 bf599b-bf59a2 call ad9990 187->194 195 bf5990-bf5999 call ad9120 187->195 197 bf5a28-bf5a31 call ad9120 189->197 198 bf5a33-bf5a3a call ad9990 189->198 206 bf59a7-bf59bc call bd2bd0 194->206 195->206 204 bf5a3f-bf5a51 call bd2bd0 197->204 198->204 212 bf5a54-bf5a69 204->212 206->212 213 bf5a6b-bf5a6e 212->213 214 bf5a73-bf5a7c 212->214 213->214 215 bf5abf-bf5ac1 214->215 216 bf5a7e 214->216 215->179 217 bf5a80-bf5a82 216->217 217->192 218 bf5a84-bf5a86 217->218 218->192 219 bf5a88-bf5a9a call ade790 218->219 219->173 222 bf5a9c-bf5a9f 219->222 222->192 223 bf5aa1-bf5ab3 call ade790 222->223 223->173 226 bf5ab5-bf5ab8 223->226 226->215 227 bf5aba-bf5abd 226->227 227->217
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00BF589C
                                      • Part of subcall function 00C670C8: EnterCriticalSection.KERNEL32(00D75CD8,?,?,00AD9F37,00D76904,00CE7320), ref: 00C670D2
                                      • Part of subcall function 00C670C8: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9F37,00D76904,00CE7320), ref: 00C67105
                                      • Part of subcall function 00C670C8: RtlWakeAllConditionVariable.NTDLL ref: 00C6717C
                                      • Part of subcall function 00AD9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                      • Part of subcall function 00AE2A50: RaiseException.KERNEL32(83C8296E,83C8296E,00000000,00000000,00C1197B,C000008C,00000001,83C8296E), ref: 00AE2A5C
                                    • __Init_thread_footer.LIBCMT ref: 00BF58EC
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$AllocateConditionExceptionHeapRaiseVariableWake
                                    • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86$Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64$WindowsFolder$WindowsVolume$shfolder.dll
                                    • API String ID: 2519272855-3044903971
                                    • Opcode ID: b1039e1b9be3a5da8048b4368831b35fca13f652e1ce0906ace7c4acd03a4e79
                                    • Instruction ID: 4166b78184e5a031b4e72a3dd57147ae3bccfc52e5ce79c0df99f8e1eabe205c
                                    • Opcode Fuzzy Hash: b1039e1b9be3a5da8048b4368831b35fca13f652e1ce0906ace7c4acd03a4e79
                                    • Instruction Fuzzy Hash: EA71E771904A0ADBDB20EB64C886BBEB3E1EF10324F1486A9E716973D1E771DD09C761
                                    Function 00BF0E50 Relevance: 28.7, APIs: 13, Strings: 3, Instructions: 717fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 228 bf0e50-bf0e60 229 bf0e96-bf0e9a 228->229 230 bf0e62 228->230 231 bf0e64-bf0e66 230->231 232 bf0e68-bf0e6b 231->232 233 bf0ea6-bf0eef call ae2a50 231->233 232->233 235 bf0e6d-bf0e79 232->235 242 bf1676-bf167d call ae2a50 233->242 243 bf0ef5-bf0ef8 233->243 237 bf0e8b-bf0e91 235->237 238 bf0e7b-bf0e89 call ade790 235->238 237->231 239 bf0e93 237->239 238->237 247 bf0e9d-bf0ea3 238->247 239->229 248 bf1682-bf1687 call ad9ae0 242->248 243->242 246 bf0efe-bf0f10 243->246 249 bf0f44-bf0f50 246->249 250 bf0f12-bf0f14 246->250 258 bf168c-bf1696 call ad9ae0 248->258 251 bf0f69 249->251 252 bf0f52-bf0f59 249->252 254 bf0f2e-bf0f41 250->254 255 bf0f16-bf0f28 250->255 257 bf0f6c-bf0fe2 call ad9620 call bd0e50 call ae6a60 call bd5b00 PathFileExistsW 251->257 252->251 256 bf0f60-bf0f67 252->256 255->254 256->251 256->257 270 bf0fec-bf1001 257->270 271 bf0fe4-bf0fe7 257->271 272 bf100b-bf100f 270->272 273 bf1003-bf1006 270->273 271->270 274 bf107c-bf108e call bfdae0 272->274 275 bf1011-bf103e GetLastError call bd3200 call bd54b0 272->275 273->272 280 bf1094-bf109c 274->280 281 bf1180-bf1182 274->281 290 bf1043-bf1068 call bded40 275->290 291 bf1040 275->291 283 bf109e-bf10ac 280->283 284 bf10b2-bf10b9 280->284 286 bf11be-bf11c2 281->286 287 bf1184-bf11b0 call bd54b0 281->287 283->281 283->284 288 bf10bf-bf10c8 call ad9e20 284->288 289 bf1176-bf117b 284->289 292 bf11c4-bf11ce call bd03b0 286->292 293 bf11d3-bf1216 call bd58e0 CreateFileW 286->293 315 bf11b5-bf11ba 287->315 316 bf11b2 287->316 288->248 310 bf10ce-bf1105 call aeab80 call bd0e50 288->310 300 bf1620-bf1637 289->300 311 bf106a-bf106d 290->311 312 bf1072-bf1077 290->312 291->290 292->293 313 bf121c-bf1249 GetLastError call bd3200 call bd54b0 293->313 314 bf1360-bf1387 SetFilePointer 293->314 302 bf1639-bf163c 300->302 303 bf1641-bf1656 300->303 302->303 308 bf1658-bf165b 303->308 309 bf1660-bf1673 303->309 308->309 309->242 344 bf1129-bf114e call c08750 310->344 345 bf1107-bf110c 310->345 311->312 312->300 332 bf124e-bf1275 call bded40 313->332 333 bf124b 313->333 317 bf1389-bf13ba GetLastError call bd3200 call bd54b0 314->317 318 bf1400-bf143f call bf3ac0 314->318 315->286 316->315 339 bf13bf-bf13d8 call bded40 317->339 340 bf13bc 317->340 329 bf1442-bf1444 318->329 334 bf145a-bf1480 ReadFile 329->334 335 bf1446-bf1451 329->335 354 bf127f-bf1286 332->354 355 bf1277-bf127a 332->355 333->332 341 bf14e4-bf14e9 334->341 342 bf1482-bf1487 334->342 356 bf1457 335->356 357 bf15b5-bf15c0 335->357 373 bf13db-bf13e6 339->373 340->339 348 bf14eb-bf14ed 341->348 349 bf1521-bf152c 341->349 342->341 351 bf1489-bf148d 342->351 381 bf1158-bf116c 344->381 382 bf1150-bf1153 344->382 352 bf1110-bf1119 345->352 358 bf14f0-bf14f2 348->358 362 bf152e-bf1536 CloseHandle 349->362 363 bf1539-bf153f 349->363 360 bf149f-bf14b2 WriteFile 351->360 361 bf148f-bf149c call c102f0 351->361 352->352 367 bf111b-bf1124 call aeab80 352->367 369 bf128c-bf1295 call ad9e20 354->369 370 bf13f0-bf13fb 354->370 355->354 356->334 371 bf15f0-bf15fd call c674c5 357->371 358->242 372 bf14f8-bf14fb 358->372 360->341 364 bf14b4-bf14b9 360->364 361->360 362->363 365 bf1562-bf1597 CreateFileW 363->365 366 bf1541-bf1543 363->366 364->341 375 bf14bb-bf14cd 364->375 379 bf1599-bf15b3 365->379 380 bf15c2-bf15cd call bf3ed0 365->380 366->365 376 bf1545-bf1548 366->376 367->344 369->258 399 bf129b-bf12be call aeab80 369->399 377 bf1604-bf1614 370->377 371->377 372->242 384 bf1501-bf1511 372->384 373->370 385 bf13e8-bf13eb 373->385 389 bf14cf-bf14d9 375->389 390 bf14dc-bf14de 375->390 376->365 396 bf154a-bf154d 376->396 377->300 391 bf1616-bf1619 CloseHandle 377->391 397 bf15d2-bf15e2 379->397 380->397 381->289 392 bf116e-bf1171 381->392 382->381 394 bf1518-bf151f 384->394 395 bf1513 384->395 385->370 389->390 390->329 390->341 391->300 392->289 394->349 394->358 395->394 396->365 400 bf154f-bf1552 396->400 401 bf15ee 397->401 402 bf15e4-bf15e7 CloseHandle 397->402 409 bf12de-bf1309 call aeab80 GetLastError call bd3200 399->409 410 bf12c0-bf12c2 399->410 400->365 404 bf1554-bf1557 400->404 401->371 402->401 404->365 406 bf1559-bf155c 404->406 406->365 406->401 418 bf130b-bf130d 409->418 419 bf1329-bf134b call c08750 409->419 411 bf12c5-bf12ce 410->411 411->411 413 bf12d0-bf12d9 call aeab80 411->413 413->409 420 bf1310-bf1319 418->420 424 bf134d-bf1350 419->424 425 bf1355-bf135e 419->425 420->420 422 bf131b-bf1324 call aeab80 420->422 422->419 424->425 425->373
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,?), ref: 00BF0FC0
                                    • GetLastError.KERNEL32(?), ref: 00BF1011
                                      • Part of subcall function 00BFDAE0: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BFDBBA
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?), ref: 00BF11FC
                                    • GetLastError.KERNEL32(?,?,?), ref: 00BF121C
                                    • GetLastError.KERNEL32(?, Error:,00000007,Failed to extract file:,00000017,?,?,?,?,?,?,?,?), ref: 00BF12EE
                                    • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?), ref: 00BF137E
                                    • GetLastError.KERNEL32(?,?,?), ref: 00BF1389
                                      • Part of subcall function 00BD3200: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,83C8296E,?,00000000), ref: 00BD324B
                                      • Part of subcall function 00BD3200: GetLastError.KERNEL32(?,00000000), ref: 00BD3255
                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00010000,?,?,?), ref: 00BF1478
                                    • WriteFile.KERNEL32(?,00000000,?,?,00000000,?,?,?), ref: 00BF14AA
                                    • CloseHandle.KERNEL32(?,?,?,?), ref: 00BF152F
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?), ref: 00BF1577
                                    • CloseHandle.KERNEL32(?,?,00CF442C,?,?,?), ref: 00BF15E5
                                    • CloseHandle.KERNEL32(?,00CF442C,?,?,?), ref: 00BF1617
                                    • FindFirstFileW.KERNEL32(?,00000000,?,?), ref: 00BF1800
                                    • FindClose.KERNEL32(00000000,?,?), ref: 00BF1835
                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?), ref: 00BF18D9
                                    • GetLastError.KERNEL32(?,?), ref: 00BF18E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: File$ErrorLast$Close$Handle$CreateFind$DeleteDiskExistsFirstFormatFreeMessagePathPointerReadSpaceWrite
                                    • String ID: Error:$Failed to extract file:$Not enough disk space to extract file:
                                    • API String ID: 2361583447-4103669389
                                    • Opcode ID: 6ff4c9c84944457b61ca043c809838d8eb5de1961a91f9561ef61a48deb36612
                                    • Instruction ID: 63208b3cc6f2989d95db3490039586bf6a10c24801b2a538bb8d4746591077c9
                                    • Opcode Fuzzy Hash: 6ff4c9c84944457b61ca043c809838d8eb5de1961a91f9561ef61a48deb36612
                                    • Instruction Fuzzy Hash: B742C471A00209EFDB10DF68C884BAEBBF5EF54314F148699E915AB391DB70ED48CB61
                                    Function 00BE7360 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 509COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1394 be7360-be739c call ad9e20 1397 be74df-be759e call ad9ae0 call be7360 call c0b490 1394->1397 1398 be73a2-be73da call bfdfd0 1394->1398 1413 be75a0-be75a9 1397->1413 1406 be73dc-be73df 1398->1406 1407 be73e4-be7413 GetTickCount call c65deb call c67850 call ad9e20 1398->1407 1406->1407 1407->1397 1421 be7419-be74a0 call c8df50 call ad8d10 call bfdfd0 call bfe110 call ad9620 1407->1421 1413->1413 1415 be75ab-be75d0 call ad7160 1413->1415 1422 be7639-be7656 call ad6610 1415->1422 1423 be75d2-be75e6 call c67112 1415->1423 1472 be74aa-be74bf 1421->1472 1473 be74a2-be74a5 1421->1473 1431 be765f 1422->1431 1432 be7658-be765d 1422->1432 1423->1422 1429 be75e8-be7636 call ad7160 call c66fca call c670c8 1423->1429 1429->1422 1435 be7662-be7672 1431->1435 1432->1435 1438 be76fb-be773f call c66c49 1435->1438 1439 be7678-be767d 1435->1439 1449 be7743-be774c 1438->1449 1440 be7680-be769e 1439->1440 1444 be76e4-be76ed 1440->1444 1445 be76a0-be76a6 1440->1445 1444->1440 1454 be76ef-be76f5 1444->1454 1450 be76ca-be76cc 1445->1450 1451 be76a8-be76ae 1445->1451 1449->1449 1455 be774e-be7798 call ad7160 1449->1455 1458 be76ce-be76d5 1450->1458 1459 be76df 1450->1459 1456 be76c2 1451->1456 1457 be76b0-be76b3 1451->1457 1454->1438 1469 be77a0-be77a9 1455->1469 1463 be76c4 1456->1463 1457->1463 1464 be76b5-be76c0 1457->1464 1458->1459 1465 be76d7-be76dc 1458->1465 1459->1444 1463->1450 1464->1456 1464->1457 1465->1459 1469->1469 1471 be77ab-be7888 call ad7160 call ad6610 * 4 call ad78d0 * 2 1469->1471 1490 be788a-be78ac 1471->1490 1491 be7902-be7911 1471->1491 1474 be74c9-be74dc 1472->1474 1475 be74c1-be74c4 1472->1475 1473->1472 1475->1474 1494 be78ae-be78fe call ad78d0 * 4 call c66c18 1490->1494 1495 be7900 1490->1495 1492 be795f-be79a2 call ad78d0 * 3 1491->1492 1493 be7913-be795c call ad78d0 * 4 call c66c18 1491->1493 1514 be79ac-be79eb GetCurrentProcess OpenProcessToken 1492->1514 1515 be79a4-be79a7 1492->1515 1493->1492 1494->1491 1495->1491 1527 be7a2c 1514->1527 1528 be79ed-be7a17 GetTokenInformation 1514->1528 1518 be7a60-be7a7e 1515->1518 1523 be7a88-be7aa3 call c66c0a 1518->1523 1524 be7a80-be7a83 1518->1524 1524->1523 1533 be7a31-be7a4d 1527->1533 1528->1527 1532 be7a19-be7a2a 1528->1532 1532->1533 1533->1518 1534 be7a4f-be7a56 CloseHandle 1533->1534 1534->1518
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • GetTickCount.KERNEL32 ref: 00BE73E4
                                    • __Xtime_get_ticks.LIBCPMT ref: 00BE73EC
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE7436
                                    • __Init_thread_footer.LIBCMT ref: 00BE7631
                                    • GetCurrentProcess.KERNEL32 ref: 00BE79D3
                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00BE79E3
                                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00BE7A0F
                                    • CloseHandle.KERNEL32(00000000), ref: 00BE7A50
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                    • String ID: \/:*?"<>|
                                    • API String ID: 3363527671-3830478854
                                    • Opcode ID: a596fbd57462a3d5a49f8f32391f4184401c31e3ed2b2d8ab8d3211dd93cf235
                                    • Instruction ID: d750f3620fb87549d6a7108013ca23c92750bbea29783a3c30f8cdc59047774e
                                    • Opcode Fuzzy Hash: a596fbd57462a3d5a49f8f32391f4184401c31e3ed2b2d8ab8d3211dd93cf235
                                    • Instruction Fuzzy Hash: 4522BC70A04258DFDB10DF68CD49BAEBBB4FF04304F1445A9E409AB392EB749A44DFA1
                                    Function 00BD4FA0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 324fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1749 bd4fa0-bd4fd0 1750 bd4fd6-bd4fdd call bd54b0 1749->1750 1751 bd5070-bd507b RemoveDirectoryW 1749->1751 1750->1751 1757 bd4fe3-bd4fec call ad9e20 1750->1757 1752 bd507e-bd5080 1751->1752 1754 bd5088-bd509a 1752->1754 1755 bd5082 GetLastError 1752->1755 1755->1754 1760 bd509b-bd50e0 call ad9ae0 1757->1760 1761 bd4ff2-bd5011 1757->1761 1769 bd50e6-bd50ed call bd54b0 1760->1769 1770 bd5180-bd518b DeleteFileW 1760->1770 1765 bd501e-bd5025 call ad9990 1761->1765 1766 bd5013-bd501c call ad9120 1761->1766 1774 bd502a-bd5064 call aeab80 RemoveDirectoryW 1765->1774 1766->1774 1769->1770 1780 bd50f3-bd50fc call ad9e20 1769->1780 1775 bd518e-bd5190 1770->1775 1774->1752 1783 bd5066-bd506e 1774->1783 1778 bd5198-bd51aa 1775->1778 1779 bd5192 GetLastError 1775->1779 1779->1778 1785 bd51ab-bd51f5 call ad9ae0 call ad9e20 1780->1785 1786 bd5102-bd5121 1780->1786 1783->1752 1800 bd51fb-bd5217 1785->1800 1801 bd531a-bd5324 call ad9ae0 1785->1801 1791 bd512e-bd5135 call ad9990 1786->1791 1792 bd5123-bd512c call ad9120 1786->1792 1799 bd513a-bd5174 call aeab80 DeleteFileW 1791->1799 1792->1799 1799->1775 1806 bd5176-bd517e 1799->1806 1808 bd521d-bd521f 1800->1808 1809 bd5310-bd5315 call ad9ae0 1800->1809 1806->1775 1808->1809 1810 bd5225-bd522d 1808->1810 1809->1801 1813 bd522f-bd525c call ade830 call aeb580 1810->1813 1814 bd5268-bd526c call aeb580 1810->1814 1817 bd5271-bd527c 1813->1817 1827 bd525e-bd5266 1813->1827 1814->1817 1819 bd52df-bd52f4 1817->1819 1820 bd527e-bd528b call c68347 1817->1820 1822 bd52fe-bd530f 1819->1822 1823 bd52f6-bd52f9 1819->1823 1828 bd528d-bd5290 1820->1828 1829 bd5292-bd5294 1820->1829 1823->1822 1827->1817 1831 bd5296-bd52ad call ade830 1828->1831 1829->1831 1834 bd52af-bd52b1 call bd4fa0 1831->1834 1835 bd52c1-bd52d5 1831->1835 1838 bd52b6-bd52bc call bd51c0 1834->1838 1835->1819 1836 bd52d7-bd52da 1835->1836 1836->1819 1838->1835
                                    APIs
                                    • RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,00BD5A23), ref: 00BD5043
                                      • Part of subcall function 00AD9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,00AE6AC0,-00000010,?,00C11897,00000008,83C8296E), ref: 00AD9143
                                      • Part of subcall function 00AD9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                    • RemoveDirectoryW.KERNEL32(00000008,83C8296E,00000008,00000000,00000008,00000000,00CCB90D,000000FF,?,00BD5A23), ref: 00BD5072
                                    • GetLastError.KERNEL32(?,00BD5A23,?,?,?,?,?,?,?,?,?,?,?,?,00CD8085,000000FF), ref: 00BD5082
                                    • DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,00000000,00CCB90D,000000FF,?,80004005,83C8296E,00000008,00000000,00000008,00000000), ref: 00BD5153
                                    • GetLastError.KERNEL32(?,83C8296E,00000008,00000000,?,00000000,00CCB90D,000000FF,?,80004005,83C8296E,00000008,00000000,00000008,00000000,00CCB90D), ref: 00BD5192
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • DeleteFileW.KERNEL32(?,83C8296E,00000008,00000000,?,00000000,00CCB90D,000000FF,?,80004005,83C8296E,00000008,00000000,00000008,00000000,00CCB90D), ref: 00BD5182
                                    • _wcsrchr.LIBVCRUNTIME ref: 00BD5281
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: DeleteDirectoryErrorFileHeapInit_thread_footerLastRemove$AllocateFindProcessResource_wcsrchr
                                    • String ID: \\?\
                                    • API String ID: 3513978327-4282027825
                                    • Opcode ID: 9fccc4d4add416cb1422ce5c74228b9cb887c4b95a7c2b715046eceb07668a46
                                    • Instruction ID: 87f9aea6a1eb65e52809d1a6eab153e57e91d02553857a61e670413353266d58
                                    • Opcode Fuzzy Hash: 9fccc4d4add416cb1422ce5c74228b9cb887c4b95a7c2b715046eceb07668a46
                                    • Instruction Fuzzy Hash: CDA19071901A19DFDB24DB68C849BAEF7F4FF04321F1486AAE521D7391EB719904CB90
                                    Function 00C6654A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1865 c6654a-c66555 1866 c66557-c66563 DecodePointer 1865->1866 1867 c66564-c6657b LoadLibraryExA 1865->1867 1868 c665f5 1867->1868 1869 c6657d-c66592 call c665fa 1867->1869 1871 c665f7-c665f9 1868->1871 1869->1868 1873 c66594-c665a9 call c665fa 1869->1873 1873->1868 1876 c665ab-c665c0 call c665fa 1873->1876 1876->1868 1879 c665c2-c665d7 call c665fa 1876->1879 1879->1868 1882 c665d9-c665f3 DecodePointer 1879->1882 1882->1871
                                    APIs
                                    • DecodePointer.KERNEL32(83C8296E,?,?,00C66890,00D75C90,?,?,?,00C12657,00000000,83C8296E,?,00C12792), ref: 00C6655C
                                    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,83C8296E,?,?,00C66890,00D75C90,?,?,?,00C12657,00000000,83C8296E,?,00C12792), ref: 00C66571
                                    • DecodePointer.KERNEL32(83C8296E,?,?,?,?,?,?,?,?,?,00000000,83C8296E,?,00C12792), ref: 00C665ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: DecodePointer$LibraryLoad
                                    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                    • API String ID: 1423960858-1745123996
                                    • Opcode ID: be66004a5b0562236f841c7f82654c713f4881cc7a18a0e7a231dc5a61f72779
                                    • Instruction ID: b191a58a66cc54a4fdab6bbb3f4652d2d6c7dee59754d47ad81e13892ce3d65f
                                    • Opcode Fuzzy Hash: be66004a5b0562236f841c7f82654c713f4881cc7a18a0e7a231dc5a61f72779
                                    • Instruction Fuzzy Hash: C201DB30541750AFCA269714AD87B8A3B555B12708F048070BC077B29DFBB1AA08C993
                                    Function 00C11990 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1883 c11990-c119cf call bd39a0 1886 c11b43-c11b4b call c11bd0 1883->1886 1887 c119d5-c119f1 SHGetFolderPathW 1883->1887 1896 c11b4f 1886->1896 1889 c119f3-c119fb 1887->1889 1890 c119fd-c11a0c 1887->1890 1889->1889 1889->1890 1891 c11a22-c11a33 call bb8d20 1890->1891 1892 c11a0e 1890->1892 1900 c11a35 1891->1900 1901 c11a57-c11b0e call c69160 GetTempPathW call c69160 GetTempFileNameW call c11bd0 Wow64DisableWow64FsRedirection CopyFileW 1891->1901 1894 c11a10-c11a18 1892->1894 1894->1894 1897 c11a1a-c11a1c 1894->1897 1899 c11b51-c11b6b call c66c0a 1896->1899 1897->1886 1897->1891 1903 c11a40-c11a4c 1900->1903 1912 c11b10-c11b13 call c11bd0 1901->1912 1913 c11b18-c11b26 1901->1913 1903->1886 1906 c11a52-c11a55 1903->1906 1906->1901 1906->1903 1912->1913 1913->1896 1915 c11b28-c11b38 Wow64RevertWow64FsRedirection 1913->1915 1915->1899 1916 c11b3a-c11b41 1915->1916 1916->1899
                                    APIs
                                      • Part of subcall function 00BD39A0: __Init_thread_footer.LIBCMT ref: 00BD3A72
                                    • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,83C8296E,00000000,00000000), ref: 00C119E4
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00C11A79
                                    • GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00C11AAA
                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00C11ADD
                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 00C11AFF
                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00C11B2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Wow64$FilePathRedirectionTemp$CopyDisableFolderInit_thread_footerNameRevert
                                    • String ID: shim_clone
                                    • API String ID: 4264308349-3944563459
                                    • Opcode ID: 4294942009ec915a9a4220b6092815866caf405f08b97c1764da039dbb528676
                                    • Instruction ID: 4d5743c4004761057f6b6b009444775c9b7619c9535242fcbd882c2480a433e5
                                    • Opcode Fuzzy Hash: 4294942009ec915a9a4220b6092815866caf405f08b97c1764da039dbb528676
                                    • Instruction Fuzzy Hash: 3851F670A042589BDB20DF24CC45BEEB7B9EF55700F1840A9EA05972C1EB799F84DB90
                                    Function 00BF36B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 238fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1917 bf36b0-bf36ec 1918 bf36ee-bf36f3 call ad9790 1917->1918 1919 bf36f8-bf3706 call bfdae0 1917->1919 1918->1919 1923 bf370c-bf3717 1919->1923 1924 bf37f2-bf37f4 1919->1924 1925 bf3719-bf3731 call bd54b0 1923->1925 1926 bf3747-bf374e 1923->1926 1927 bf3818-bf3821 1924->1927 1928 bf37f6 1924->1928 1941 bf3736-bf3741 1925->1941 1942 bf3733 1925->1942 1932 bf37d9-bf37ef 1926->1932 1933 bf3754-bf375b call ad9e20 1926->1933 1930 bf3827-bf382e call ad9e20 1927->1930 1931 bf3934-bf3947 1927->1931 1934 bf37fc-bf3809 call bd58e0 1928->1934 1935 bf37f8-bf37fa 1928->1935 1945 bf394a-bf3954 call ad9ae0 1930->1945 1946 bf3834-bf38a1 call ad8d10 CreateFileW call bd03b0 1930->1946 1933->1945 1947 bf3761-bf3788 call aeab80 1933->1947 1940 bf380e-bf3816 1934->1940 1935->1927 1935->1934 1940->1930 1941->1924 1941->1926 1942->1941 1965 bf38bf-bf38ca 1946->1965 1966 bf38a3 1946->1966 1957 bf378a-bf378f 1947->1957 1958 bf37a9-bf37cf call c08750 1947->1958 1960 bf3790-bf3799 1957->1960 1958->1932 1969 bf37d1-bf37d4 1958->1969 1960->1960 1963 bf379b-bf37a4 call aeab80 1960->1963 1963->1958 1967 bf38cd-bf38f4 SetFilePointer SetEndOfFile 1965->1967 1970 bf38ad-bf38bd 1966->1970 1971 bf38a5-bf38ab 1966->1971 1972 bf38f6-bf38fd CloseHandle 1967->1972 1973 bf3904-bf3919 1967->1973 1969->1932 1970->1967 1971->1965 1971->1970 1972->1973 1974 bf391b-bf391e 1973->1974 1975 bf3923-bf392e 1973->1975 1974->1975 1975->1930 1975->1931
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00BF3876
                                    • SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00BF38D5
                                    • SetEndOfFile.KERNEL32(?), ref: 00BF38DE
                                    • CloseHandle.KERNEL32(?), ref: 00BF38F7
                                    Strings
                                    • Not enough disk space to extract file:, xrefs: 00BF377A
                                    • %sholder%d.aiph, xrefs: 00BF3852
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointer
                                    • String ID: %sholder%d.aiph$Not enough disk space to extract file:
                                    • API String ID: 22866420-929304071
                                    • Opcode ID: 8ff450b2a3b7b2a7aa282cd05edb1a5e4dcb2129c27b968b092f07fabb6e63d5
                                    • Instruction ID: 765718bf9f28ec14946d1ed99b32c97fd8af668823c5ce37c62961232c115d1e
                                    • Opcode Fuzzy Hash: 8ff450b2a3b7b2a7aa282cd05edb1a5e4dcb2129c27b968b092f07fabb6e63d5
                                    • Instruction Fuzzy Hash: BD81BCB5A002499BDB10DF68CC45BAEB7E4FF48720F148699FA15A7391DB74EE04CB90
                                    Function 00C100C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1976 c100c0-c1010b call bf3ac0 1979 c10117-c10125 1976->1979 1980 c1010d-c10112 1976->1980 1982 c10130-c10151 1979->1982 1981 c102c1-c102eb call c674c5 1980->1981 1984 c10153-c10159 1982->1984 1985 c1015b-c10172 SetFilePointer 1982->1985 1984->1985 1987 c10182-c10197 ReadFile 1985->1987 1988 c10174-c1017c GetLastError 1985->1988 1989 c102bc 1987->1989 1990 c1019d-c101a4 1987->1990 1988->1987 1988->1989 1989->1981 1990->1989 1991 c101aa-c101bb 1990->1991 1991->1982 1992 c101c1-c101cd 1991->1992 1993 c101d0-c101d4 1992->1993 1994 c101e1-c101e5 1993->1994 1995 c101d6-c101df 1993->1995 1996 c101e7-c101ed 1994->1996 1997 c10208-c1020a 1994->1997 1995->1993 1995->1994 1996->1997 1998 c101ef-c101f2 1996->1998 1999 c1020d-c1020f 1997->1999 2000 c10204-c10206 1998->2000 2001 c101f4-c101fa 1998->2001 2002 c10211-c10214 1999->2002 2003 c10224-c10226 1999->2003 2000->1999 2001->1997 2004 c101fc-c10202 2001->2004 2002->1992 2005 c10216-c1021f 2002->2005 2006 c10236-c1025c SetFilePointer 2003->2006 2007 c10228-c10231 2003->2007 2004->1997 2004->2000 2005->1982 2006->1989 2008 c1025e-c10273 ReadFile 2006->2008 2007->1982 2008->1989 2009 c10275-c10279 2008->2009 2009->1989 2010 c1027b-c10285 2009->2010 2011 c10287-c1028d 2010->2011 2012 c1029f-c102a4 2010->2012 2011->2012 2013 c1028f-c10297 2011->2013 2012->1981 2013->2012 2014 c10299-c1029d 2013->2014 2014->2012 2015 c102a6-c102ba 2014->2015 2015->1981
                                    APIs
                                    • SetFilePointer.KERNEL32(00CD7C6D,-00000400,?,00000002,00000400,83C8296E,?,?,?), ref: 00C10166
                                    • GetLastError.KERNEL32(?,?), ref: 00C10174
                                    • ReadFile.KERNEL32(00CD7C6D,00000000,00000400,?,00000000,?,?), ref: 00C1018F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: File$ErrorLastPointerRead
                                    • String ID: ADVINSTSFX
                                    • API String ID: 64821003-4038163286
                                    • Opcode ID: 6e5cd62cac8bdff4701a8d1e06f8e94f7e1cc74545f2b0c800a63797753f3fe4
                                    • Instruction ID: b9067464270d272e6fe306a9d2f8a9bfc80d7b62fb3eac5fce0a209abc1789b5
                                    • Opcode Fuzzy Hash: 6e5cd62cac8bdff4701a8d1e06f8e94f7e1cc74545f2b0c800a63797753f3fe4
                                    • Instruction Fuzzy Hash: 9361A371A002099BDB10CFA4C889BFEBBB5FB46310F344255E525AB381D7B49EC1DB60
                                    Function 00AE2891 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                    Download Yara Rule
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00AE2930
                                    • GetWindowLongW.USER32(?,000000FC), ref: 00AE2945
                                    • CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 00AE295B
                                    • GetWindowLongW.USER32(?,000000FC), ref: 00AE2975
                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 00AE2985
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$CallProc
                                    • String ID: $
                                    • API String ID: 513923721-3993045852
                                    • Opcode ID: ef24f30fa1ccbf029cf55e82304146d7ae71f78cde8832a87f789ff2d188c3ea
                                    • Instruction ID: e6590303757b79f1996d5300b4dea2be91d5310973c902f377805200aa4b8d89
                                    • Opcode Fuzzy Hash: ef24f30fa1ccbf029cf55e82304146d7ae71f78cde8832a87f789ff2d188c3ea
                                    • Instruction Fuzzy Hash: F841F271108740AFC724DF1AD884A1BFBF9FF88724F505A1DF59A836A1D772E8448B62
                                    Function 00BBEBE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,83C8296E,?,?,?,00000000,?,Function_001BEE20,000000FF), ref: 00BBEC23
                                    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00BBEC4C
                                    • RegCreateKeyExW.KERNEL32(?,00AE7319,00000000,00000000,00000000,?,00000000,00000000,?,83C8296E,?,?,?,00000000,?,Function_001BEE20), ref: 00BBEC99
                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,?,Function_001BEE20,000000FF), ref: 00BBECAC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AddressCloseCreateHandleModuleProc
                                    • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                    • API String ID: 1765684683-2994018265
                                    • Opcode ID: e7c0ad3eb00305a4052783f4bfad1d4e68301024f41eda7c0e83f5a4265ee9dd
                                    • Instruction ID: c55267e8955e2f1084963161b22519fff8ced858dc0811e5298ce9f7b6bb495c
                                    • Opcode Fuzzy Hash: e7c0ad3eb00305a4052783f4bfad1d4e68301024f41eda7c0e83f5a4265ee9dd
                                    • Instruction Fuzzy Hash: BC31A072604205BFEB248F44DC45FEABBA8FB08750F10816AF915D62D0E7B1E810CAA4
                                    Function 00B9E0C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,83C8296E,?,?,?,?,?,Function_001BEE20,000000FF,?,00BCFE9C,?,?,000000FF), ref: 00B9E103
                                    • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00B9E12C
                                    • RegOpenKeyExW.KERNEL32(?,83C8296E,00000000,?,00000000,83C8296E,?,?,?,?,?,Function_001BEE20,000000FF,?,00BCFE9C,?), ref: 00B9E165
                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,Function_001BEE20,000000FF,?,00BCFE9C,?,?,000000FF), ref: 00B9E178
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AddressCloseHandleModuleOpenProc
                                    • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                    • API String ID: 823179699-3913318428
                                    • Opcode ID: 61f18b0f2c1d9bdd943fb32b93d70b753a6ed0b3b8f4fd7642222d3c56b2afb7
                                    • Instruction ID: 32fc2cd609cdca832651bfbdad9d0cd9f72e7a61ae4da1bce7714b8f1740cb9f
                                    • Opcode Fuzzy Hash: 61f18b0f2c1d9bdd943fb32b93d70b753a6ed0b3b8f4fd7642222d3c56b2afb7
                                    • Instruction Fuzzy Hash: 53215C72604615EFEF15CF45EC44FAABBA8EB48750F00857AF929E6290E771E810CA60
                                    Function 00BEE0D0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000002), ref: 00BEE0F0
                                    • GetWindowRect.USER32(00000000,?), ref: 00BEE106
                                    • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00BEDEA7,?,00000000), ref: 00BEE11F
                                    • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,00BEDEA7,?), ref: 00BEE12A
                                    • GetDlgItem.USER32(?,000003E9), ref: 00BEE13C
                                    • GetWindowRect.USER32(00000000,?), ref: 00BEE152
                                    • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206), ref: 00BEE195
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Rect$Item$InvalidateShow
                                    • String ID:
                                    • API String ID: 2147159307-0
                                    • Opcode ID: 78a385a9aae755dbd21acb833383223749ad0f448256c5713a32d9d3349bb164
                                    • Instruction ID: 6f3fe834f0f495ff8dacac5003acbc74ea404dda333549c881369a62f002e063
                                    • Opcode Fuzzy Hash: 78a385a9aae755dbd21acb833383223749ad0f448256c5713a32d9d3349bb164
                                    • Instruction Fuzzy Hash: B7216B71604700AFD300DF34DC49A6BBBE9EF89709F008629F899D6291E770E9858B62
                                    Function 00BF1EA0 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.KERNEL32(?,?,?,00000000,83C8296E,?,?,00000002,?,?,?,?,?,?,00000000,00CD1942), ref: 00BF1EF7
                                    • GetLastError.KERNEL32(?,00000002), ref: 00BF2189
                                    • GetLastError.KERNEL32(?,00000002), ref: 00BF2233
                                    • GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,00CD1942,000000FF,?,00BF0E0A,00000010), ref: 00BF1F06
                                      • Part of subcall function 00BD3200: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,83C8296E,?,00000000), ref: 00BD324B
                                      • Part of subcall function 00BD3200: GetLastError.KERNEL32(?,00000000), ref: 00BD3255
                                    • ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 00BF1FC8
                                    • ReadFile.KERNEL32(?,83C8296E,00000000,00000000,00000000,00000001,?,00000002), ref: 00BF2045
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLast$File$Read$FormatMessagePointer
                                    • String ID:
                                    • API String ID: 3903527278-0
                                    • Opcode ID: ee466079bf40ee8f6caae2fcf3ecb2bbaf44a60369ac51976c4321707de69a5f
                                    • Instruction ID: 7131a18731ccff4f058e8c198538e9c97c398abfa2128674f2bdc48d180c228d
                                    • Opcode Fuzzy Hash: ee466079bf40ee8f6caae2fcf3ecb2bbaf44a60369ac51976c4321707de69a5f
                                    • Instruction Fuzzy Hash: DBD15171D00209DBDB10DFA8C885BADF7F5FF44314F1486A9E915AB392DB749A05CB90
                                    Function 00C11E30 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,83C8296E,83C8296E,?,?,?,?,00BF485D,?,83C8296E,?,00000000,?,00000000,00CD20E5), ref: 00C11E95
                                    • GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,?,00000000,?,?,00BF485D,?,83C8296E,?,00000000,?,00000000,00CD20E5), ref: 00C11EE3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: FileInfoVersion$Size
                                    • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                    • API String ID: 2104008232-2149928195
                                    • Opcode ID: c4b49072bb8b01ffcd754fe9e319ee2873c01ceb100cb3a4eba1cb110f4e21d6
                                    • Instruction ID: a117209cbe613e99b9eb3b75a226b81ca2ac8049179deb7dafa825fb744e0d04
                                    • Opcode Fuzzy Hash: c4b49072bb8b01ffcd754fe9e319ee2873c01ceb100cb3a4eba1cb110f4e21d6
                                    • Instruction Fuzzy Hash: B771A1719011099FCB10DFA8C949AEFB7B8EF06314F188169E921E7291EB74DE45DBA0
                                    Function 00C11D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C11990: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,83C8296E,00000000,00000000), ref: 00C119E4
                                      • Part of subcall function 00C11990: GetTempPathW.KERNEL32(00000104,?), ref: 00C11A79
                                      • Part of subcall function 00C11990: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00C11AAA
                                      • Part of subcall function 00C11990: Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00C11ADD
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,83C8296E,00000000,?,?,00000000,00CD8105,000000FF,Shlwapi.dll,00C11CD6,?,?,00000010), ref: 00C11D6D
                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,00000010), ref: 00C11D99
                                    • GetLastError.KERNEL32(?,00000010), ref: 00C11DDE
                                    • DeleteFileW.KERNEL32(?), ref: 00C11DF1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: File$InfoPathTempVersionWow64$DeleteDisableErrorFolderLastNameRedirectionSize
                                    • String ID: Shlwapi.dll
                                    • API String ID: 1841109139-1687636465
                                    • Opcode ID: 245d8867d4fa679d7fa8003794f30c6a006f451e3cf8ffc420e0fbad202d50ee
                                    • Instruction ID: 5bbe6ad5513b854e3872e04f102c08f3488840ef842ee15f2ddf2f712f3b4ab7
                                    • Opcode Fuzzy Hash: 245d8867d4fa679d7fa8003794f30c6a006f451e3cf8ffc420e0fbad202d50ee
                                    • Instruction Fuzzy Hash: 7631A471905209ABDF11DFA5DC44BEEFBB8EF09710F184169E915E3280DB349A44DBA1
                                    Function 00BD3320 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(ComCtl32.dll,83C8296E,00000000,?,00000000), ref: 00BD335E
                                    • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00BD3381
                                    • FreeLibrary.KERNEL32(00000000), ref: 00BD33FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Library$AddressFreeLoadProc
                                    • String ID: ComCtl32.dll$LoadIconMetric
                                    • API String ID: 145871493-764666640
                                    • Opcode ID: b495550c98ba483a2f17ca82cde031ab40f15be55ec598c8985cb1c0656dadda
                                    • Instruction ID: 7d629b4634d64a6f9e20e4f74d689caed8571d300864b1d7aea096fdf2434545
                                    • Opcode Fuzzy Hash: b495550c98ba483a2f17ca82cde031ab40f15be55ec598c8985cb1c0656dadda
                                    • Instruction Fuzzy Hash: DD316471A00255ABDB108F99DD44BAFBFF8EB48760F00416AF915E7381D7B58E048BA1
                                    Function 00BD5560 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 344COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • PathIsUNCW.SHLWAPI(?,?), ref: 00BD56F6
                                    • _wcschr.LIBVCRUNTIME ref: 00BD5712
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapPathProcess_wcschr
                                    • String ID: \\?\$\\?\UNC\
                                    • API String ID: 660126660-3019864461
                                    • Opcode ID: 31233eac0acaff22e159e40474143198ea6d7fcb235dd8f8b23957da035b26be
                                    • Instruction ID: e14673e9a46268892040790b099d6176f8ec5f88abea04182b6e05d2ae177b27
                                    • Opcode Fuzzy Hash: 31233eac0acaff22e159e40474143198ea6d7fcb235dd8f8b23957da035b26be
                                    • Instruction Fuzzy Hash: A3C18171901A099BDB10DBA8CC45BAEF7F8FF45310F1482AAE415E73D1EB749904CBA1
                                    Function 00BEEB80 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 326COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathIsUNCW.SHLWAPI(?,83C8296E,?,00000010,?), ref: 00BEEE4A
                                      • Part of subcall function 00BFFD20: GetCurrentProcess.KERNEL32 ref: 00BFFD68
                                      • Part of subcall function 00BFFD20: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00BFFD75
                                      • Part of subcall function 00BFFD20: GetLastError.KERNEL32 ref: 00BFFD7F
                                      • Part of subcall function 00BFFD20: CloseHandle.KERNEL32(00000000), ref: 00BFFE60
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                      • Part of subcall function 00AD9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,00AE6AC0,-00000010,?,00C11897,00000008,83C8296E), ref: 00AD9143
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
                                    • String ID: Extraction path set to:$[WindowsVolume]$\\?\
                                    • API String ID: 699919280-3538578949
                                    • Opcode ID: b50162c1610249418a16c2793e3e0cc219b5112ec82dbe5cb1c3a99e9af4c77f
                                    • Instruction ID: b53073c0cf521f4cbd510d08d83e74be4e9cb26717e072426c388b1b5f13121c
                                    • Opcode Fuzzy Hash: b50162c1610249418a16c2793e3e0cc219b5112ec82dbe5cb1c3a99e9af4c77f
                                    • Instruction Fuzzy Hash: B2C1C330A006869BDB10DF6DC984BAEF7F5EF44310F1482A9E425AB392DB70DD41CBA1
                                    Function 00C0D010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ConnectNamedPipe.KERNEL32(?,00000000,83C8296E,?,000000FF,?,?,00000000,00CD7306,000000FF,?,00C0D22A,000000FF,?,00000001), ref: 00C0D04C
                                    • GetLastError.KERNEL32(?,?,00000000,00CD7306,000000FF,?,00C0D22A,000000FF,?,00000001), ref: 00C0D056
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,83C8296E,?,000000FF,?,?,00000000,00CD7306,000000FF,?,00C0D22A,000000FF), ref: 00C0D0A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
                                    • String ID: \\.\pipe\ToServer
                                    • API String ID: 2973225359-63420281
                                    • Opcode ID: 0a2e4015fd3e06e7159846a737d4cdc0c3bf8a29b975bdad79f5d9cded151c58
                                    • Instruction ID: 1cb937b2aaf9709261735eda65f6a0cb338554dfdd26ce0e1313d39fa2eb6299
                                    • Opcode Fuzzy Hash: 0a2e4015fd3e06e7159846a737d4cdc0c3bf8a29b975bdad79f5d9cded151c58
                                    • Instruction Fuzzy Hash: FE719E71604205AFDB14CF68D805BAEB7A8FF44724F10866EE926DB3D1DB75DA01CB90
                                    Function 00BE7060 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,83C8296E,?,00000010,?,00BEA430,?), ref: 00BE70C6
                                    • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00BE710F
                                    • ReadFile.KERNEL32(00000000,83C8296E,?,?,00000000,00000078,?), ref: 00BE7151
                                    • CloseHandle.KERNEL32(00000000), ref: 00BE71CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointerRead
                                    • String ID:
                                    • API String ID: 4133201480-0
                                    • Opcode ID: 9b2454410b984e56d61c4e01a9f37753e88efcdbec19cb409b935ec8fa26435a
                                    • Instruction ID: 59c6f655326faa011556dfbeaf5e6b3e4365795a3010eceedc5873f8e02067e5
                                    • Opcode Fuzzy Hash: 9b2454410b984e56d61c4e01a9f37753e88efcdbec19cb409b935ec8fa26435a
                                    • Instruction Fuzzy Hash: 10519E70944649EBDB11CBA9CC88BAEFBF8EF44324F148299E510BB2D1DB749D05CB61
                                    Function 00C80112 Relevance: 4.7, APIs: 3, Instructions: 202COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __freea.LIBCMT ref: 00C802C1
                                      • Part of subcall function 00C7EDE7: RtlAllocateHeap.NTDLL(00000000,00000000,00C7E2B4,?,00C80055,?,00000000,?,00C707B5,00000000,00C7E2B4,?,?,?,?,00C7E0AE), ref: 00C7EE19
                                    • __freea.LIBCMT ref: 00C802D6
                                    • __freea.LIBCMT ref: 00C802E6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: __freea$AllocateHeap
                                    • String ID:
                                    • API String ID: 2243444508-0
                                    • Opcode ID: 1eedd0ec09c5d8a522344505aa5411597c536208646d83bd55f30f3808f56229
                                    • Instruction ID: 31a46b76276d60c6ebcea66e64099a2ee03d7d892ed75bb1e7de535b4d979da0
                                    • Opcode Fuzzy Hash: 1eedd0ec09c5d8a522344505aa5411597c536208646d83bd55f30f3808f56229
                                    • Instruction Fuzzy Hash: 8751B87260021AAFDF616FA5CC89EBF76A9EF44318F250128FD14E7151E6B0CD14D768
                                    Function 00BF19D0 Relevance: 4.7, APIs: 3, Instructions: 191fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.KERNEL32(?,?,?,00000000,83C8296E,?,?), ref: 00BF1A37
                                    • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00BF1B44
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: File$PointerRead
                                    • String ID:
                                    • API String ID: 3154509469-0
                                    • Opcode ID: 8043d2619891d21b4d836bb95dc7699e85fc50ba4440da4bb67a7d4ec51049fe
                                    • Instruction ID: bd163148736b26bd67aa46c5905b24638468416d50cebdd4ef1477c468d5abe8
                                    • Opcode Fuzzy Hash: 8043d2619891d21b4d836bb95dc7699e85fc50ba4440da4bb67a7d4ec51049fe
                                    • Instruction Fuzzy Hash: 32617E71D00649EFDB14CFA8C945B9DFBF4FB09320F14866AE925A7390EB759A04CB90
                                    Function 00BEEF60 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,83C8296E,?,00000000,?,80004005,?,00000000), ref: 00BEEFFE
                                    • GetLastError.KERNEL32 ref: 00BEF036
                                    • GetLastError.KERNEL32(?), ref: 00BEF0CF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CreateFile
                                    • String ID:
                                    • API String ID: 1722934493-0
                                    • Opcode ID: c72e65af091b75f271dc89bfae2185d256c29d64af1c534cc69c793c41a7985c
                                    • Instruction ID: 4c1985f194296f360e734ffb6522a62e1ea5a09a5c166fc0277581ef05eea120
                                    • Opcode Fuzzy Hash: c72e65af091b75f271dc89bfae2185d256c29d64af1c534cc69c793c41a7985c
                                    • Instruction Fuzzy Hash: 5451F571A00646DBDB20DF69C845BAAF7F1FF44320F1486A9E525A73E1EB31A900CB91
                                    Function 00BD58E0 Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathIsUNCW.SHLWAPI(?,83C8296E,-00000010,?,?,?,00C118AA,00000000,00000008,83C8296E), ref: 00BD592B
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00D03B4C,00000001,?), ref: 00BD59EA
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00CD8085,000000FF,?,00C11989), ref: 00BD59F8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryErrorLastPath
                                    • String ID:
                                    • API String ID: 953296794-0
                                    • Opcode ID: ddecc7ed9e211334c7d3c8c72e58a03f8213f6e9af4e345a6e662355aae0d94c
                                    • Instruction ID: ce24507ea190318a0c375575071a543f73f86a641e4827df06cf8fd083044d12
                                    • Opcode Fuzzy Hash: ddecc7ed9e211334c7d3c8c72e58a03f8213f6e9af4e345a6e662355aae0d94c
                                    • Instruction Fuzzy Hash: CD61A131D00A099FDB10DFA8C885B9DFBF4EF14324F14829AE415A73D1EB749904CB60
                                    Function 00C7D7CC Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,00C7D7C6,?,?,?,?,83C8296E), ref: 00C7D7DD
                                    • TerminateProcess.KERNEL32(00000000,?,00C7D7C6,?,?,?,?,83C8296E), ref: 00C7D7E4
                                    • ExitProcess.KERNEL32 ref: 00C7D7F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 5bb77a891d05be42949b96e7b46463c2124d7c25ca946460496326ae9e5e1ab1
                                    • Instruction ID: 4642c54d56b9bddc94943f33ce9ce9287df7670b925cd178a5070e3606e68ee3
                                    • Opcode Fuzzy Hash: 5bb77a891d05be42949b96e7b46463c2124d7c25ca946460496326ae9e5e1ab1
                                    • Instruction Fuzzy Hash: E2D09232000188BBCF013F65DD4DB8D3F7AEF44352B008060FA2A5E1B2DB319992EA82
                                    Function 00BEF440 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 403COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: _wcsrchr
                                    • String ID: .msi
                                    • API String ID: 1752292252-299543723
                                    • Opcode ID: e4c3050da97748b47cda8876baf01bd2a01500ab71c16c82e407d341c2b43bff
                                    • Instruction ID: ca500afb28e471eb9201d2979519f68221f594f01f7de5c2e016a91886698047
                                    • Opcode Fuzzy Hash: e4c3050da97748b47cda8876baf01bd2a01500ab71c16c82e407d341c2b43bff
                                    • Instruction Fuzzy Hash: DDE1BF71A0068AEFDB10DF69C884BAEB7F5FF54314F1482A9E8119B291DB74ED14CB90
                                    Function 00BE74F0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 326COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BE7360: GetTickCount.KERNEL32 ref: 00BE73E4
                                      • Part of subcall function 00BE7360: __Xtime_get_ticks.LIBCPMT ref: 00BE73EC
                                      • Part of subcall function 00BE7360: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE7436
                                      • Part of subcall function 00C0B490: GetUserNameW.ADVAPI32(00000000,?), ref: 00C0B51E
                                      • Part of subcall function 00C0B490: GetLastError.KERNEL32 ref: 00C0B524
                                      • Part of subcall function 00C0B490: GetUserNameW.ADVAPI32(00000000,?), ref: 00C0B56C
                                      • Part of subcall function 00C0B490: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00C0B5A2
                                      • Part of subcall function 00C0B490: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00C0B5EC
                                    • __Init_thread_footer.LIBCMT ref: 00BE7631
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                    • String ID: \/:*?"<>|
                                    • API String ID: 2099558200-3830478854
                                    • Opcode ID: b0a0a094f40ae47380b73b75db758cf706f854f963ecf737aff51bf9030f09bf
                                    • Instruction ID: 4ef4d0bd6681e0ba705a1a5b2626d479e81a2000c2205aaee206761d74c53e06
                                    • Opcode Fuzzy Hash: b0a0a094f40ae47380b73b75db758cf706f854f963ecf737aff51bf9030f09bf
                                    • Instruction Fuzzy Hash: F7E1BC70904298DFDB24DFA8C955BEEBBB0BF01308F1441D9D409AB392EB745A84DFA1
                                    Function 00BD5C20 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,83C8296E), ref: 00BD5DC0
                                      • Part of subcall function 00BD5E80: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 00BD5E8D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
                                    • String ID: USERPROFILE
                                    • API String ID: 1777821646-2419442777
                                    • Opcode ID: a8c70165459a3de40c0e5c012579940c4bc7590daa49606029236b1af16da4b2
                                    • Instruction ID: 19cf4c2e81e1b1b6f3d9ac8e6119e9273f3734ab040766df78e8e482c40d2f57
                                    • Opcode Fuzzy Hash: a8c70165459a3de40c0e5c012579940c4bc7590daa49606029236b1af16da4b2
                                    • Instruction Fuzzy Hash: D8618371A006099FDB24DF68C959BAEF7E5FF44310F14866EE816DB391EB709900CBA0
                                    Function 00B34CB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00B34D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID: $
                                    • API String ID: 1378638983-3993045852
                                    • Opcode ID: 11256392b17ece82a93377afd6c3442d8bfa710b5036e3d747a4e6f5f02dd5a2
                                    • Instruction ID: 4d03c9d9a083872c5035b15fe83ff8f46f8a52bf3602293eb97d9be40055f42f
                                    • Opcode Fuzzy Hash: 11256392b17ece82a93377afd6c3442d8bfa710b5036e3d747a4e6f5f02dd5a2
                                    • Instruction Fuzzy Hash: DC317872108340DBCB549F09C88471ABBF0FF89711F2885A9F9958B2A9D7B5ED44CB92
                                    Function 00C8444C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C83F7C: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00C83FA7
                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00C84293,?,00000000,?,?,?), ref: 00C844AD
                                    • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C84293,?,00000000,?,?,?), ref: 00C844EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CodeInfoPageValid
                                    • String ID:
                                    • API String ID: 546120528-0
                                    • Opcode ID: c93302e162579e16318eaeb2e7ca2dfb5a8819b0c573c9e73c4201cee1c18c9e
                                    • Instruction ID: e014209e7def2f21e2dd45b08896f6fd69ee2e99d813ac6f62f1f6c0f4cb077c
                                    • Opcode Fuzzy Hash: c93302e162579e16318eaeb2e7ca2dfb5a8819b0c573c9e73c4201cee1c18c9e
                                    • Instruction Fuzzy Hash: EE5125719002469FDB28EF75C8807AFBBF5EF85308F14446ED0A28B251E775DA45CB94
                                    Function 00C12690 Relevance: 3.1, APIs: 2, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000000), ref: 00C126E1
                                    • EndDialog.USER32(00000000,00000001), ref: 00C126F0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: DialogWindow
                                    • String ID:
                                    • API String ID: 2634769047-0
                                    • Opcode ID: bb049edb748aa51f7c210b22fd8a339bd2002c3dd277118d6e5725d076b2e715
                                    • Instruction ID: ca103612139fcdd0f519bc6d4a6ba4d35b30ea7884e0fd91b8b7a4e0e9970540
                                    • Opcode Fuzzy Hash: bb049edb748aa51f7c210b22fd8a339bd2002c3dd277118d6e5725d076b2e715
                                    • Instruction Fuzzy Hash: 8E518934901B45DFD711CF68C948B8AFBF4EF4A310F1482A9D459DB3A1DB70AA44DB91
                                    Function 00BEDE50 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00BED643,00000000), ref: 00BEDE50
                                    • DestroyWindow.USER32(?), ref: 00BEDF07
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: DestroyErrorLastWindow
                                    • String ID:
                                    • API String ID: 1182162058-0
                                    • Opcode ID: 140bd17f949f01f117e64d5e1170c33f74f6085b72de5ea908c80c69bbd1eeba
                                    • Instruction ID: 8e2d88c92451090394a26159515dfb5d4f1bf60c8fbb1016fe6e54c53629d23f
                                    • Opcode Fuzzy Hash: 140bd17f949f01f117e64d5e1170c33f74f6085b72de5ea908c80c69bbd1eeba
                                    • Instruction Fuzzy Hash: 6C2127716002499BDB209F09EC067AA77E4EB54320F0042A6FC05CB790D7B5EC60DBF1
                                    Function 00C10480 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000), ref: 00C104E5
                                    • CloseHandle.KERNEL32(?), ref: 00C10539
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CloseFreeHandleLibrary
                                    • String ID:
                                    • API String ID: 10933145-0
                                    • Opcode ID: a038135c40cefe664eae01d7088a350dfcbca8415dc3ac116a31af213b729f76
                                    • Instruction ID: 607a91df1cf8b182cfe3dad407cb3993667360896d06b03b18bc9a0d2fe9a343
                                    • Opcode Fuzzy Hash: a038135c40cefe664eae01d7088a350dfcbca8415dc3ac116a31af213b729f76
                                    • Instruction Fuzzy Hash: 7F210870604B069BD714CF69DC48B96BBB8FB05714F104229E429D7390FBB9D984CBA0
                                    Function 00BD1F70 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BD3320: LoadLibraryW.KERNEL32(ComCtl32.dll,83C8296E,00000000,?,00000000), ref: 00BD335E
                                      • Part of subcall function 00BD3320: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00BD3381
                                      • Part of subcall function 00BD3320: FreeLibrary.KERNEL32(00000000), ref: 00BD33FF
                                    • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00BD1FB4
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BD1FBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: LibraryMessageSend$AddressFreeLoadProc
                                    • String ID:
                                    • API String ID: 3032493519-0
                                    • Opcode ID: 48025159b5078efc2a0bb026d0faa70ea09177c3b60effa964c765cb9887897a
                                    • Instruction ID: 654208bfd48df49b58931711a3d220ccef073a6b74dba78650bc6b67231e84d4
                                    • Opcode Fuzzy Hash: 48025159b5078efc2a0bb026d0faa70ea09177c3b60effa964c765cb9887897a
                                    • Instruction Fuzzy Hash: 11F0303178121837F66021596C47F6BB68DD781F74F104266FA98AB3C2ECC67D0402E9
                                    Function 00C814D8 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringEx.KERNEL32(?,00C80200,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00C8150C
                                    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00C80200,?,?,00000000,?,00000000), ref: 00C8152A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: String
                                    • String ID:
                                    • API String ID: 2568140703-0
                                    • Opcode ID: cd3385d8f2af78444b93314b6bc72c0c7d49ea929eb4074d96ab6259f693f163
                                    • Instruction ID: 01235d98c5e31b258a39ed98c2b777a079609dee5b002fa20eb671374368d09f
                                    • Opcode Fuzzy Hash: cd3385d8f2af78444b93314b6bc72c0c7d49ea929eb4074d96ab6259f693f163
                                    • Instruction Fuzzy Hash: 94F03F3240015ABBCF126F91DC05EDE3F66FF597A4F054110FE1566120D736D972AB94
                                    Function 00C7EDAD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,00C833ED,?,00000000,?,?,00C8368E,?,00000007,?,?,00C83CE8,?,?), ref: 00C7EDC3
                                    • GetLastError.KERNEL32(?,?,00C833ED,?,00000000,?,?,00C8368E,?,00000007,?,?,00C83CE8,?,?), ref: 00C7EDCE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 485612231-0
                                    • Opcode ID: 081aa277b8b23a7551e0765ced70006e7f0c05ee5c1e4e7a3bfae995ee6fc37f
                                    • Instruction ID: abeb970569494f5b68e8191594013d72504d93e28791df411eac173cc8feb26d
                                    • Opcode Fuzzy Hash: 081aa277b8b23a7551e0765ced70006e7f0c05ee5c1e4e7a3bfae995ee6fc37f
                                    • Instruction Fuzzy Hash: 34E08632100214A7CB312BA5AC4D75D3B69EB04391F044051F50C8A161E6348980DB90
                                    Function 00BF4D00 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00BF4EE0,?), ref: 00BF4D4B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: EnumLanguagesResource
                                    • String ID:
                                    • API String ID: 4141015960-0
                                    • Opcode ID: 24ff069a9693a64fc02919a73b0b12e17119918e36c457e02da835b143e10a9a
                                    • Instruction ID: 2ef633f4232d6af2afa26c96f62329d1fef1c52c05f6dd879c632fb3f97ba01e
                                    • Opcode Fuzzy Hash: 24ff069a9693a64fc02919a73b0b12e17119918e36c457e02da835b143e10a9a
                                    • Instruction Fuzzy Hash: 2451A07590060A8FDB24CF68C981BAFB7F5FF48304F0146A9E615A7681EB71ED48CB60
                                    Function 00C117A0 Relevance: 1.7, APIs: 1, Instructions: 177synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,83C8296E,00000000,?,?,00000001), ref: 00C117D4
                                      • Part of subcall function 00AE2A50: RaiseException.KERNEL32(83C8296E,83C8296E,00000000,00000000,00C1197B,C000008C,00000001,83C8296E), ref: 00AE2A5C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ExceptionObjectRaiseSingleWait
                                    • String ID:
                                    • API String ID: 2077088295-0
                                    • Opcode ID: 66c9d8cb7dae697bad88f7b993030a228445dd23df6e113162b29596fa490cc8
                                    • Instruction ID: 314d3d29022f1243a1701c5f7af669c09b64d1fe92c3d84c0c910d0c27d98691
                                    • Opcode Fuzzy Hash: 66c9d8cb7dae697bad88f7b993030a228445dd23df6e113162b29596fa490cc8
                                    • Instruction Fuzzy Hash: D651A035A006059FDB04DF68C894AAAF7F5FF4A310F1981A9E925DB3A1DB34ED40DB90
                                    Function 00C84050 Relevance: 1.6, APIs: 1, Instructions: 147COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(E8458D00,?,00C8429F,00C84293,00000000), ref: 00C84082
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Info
                                    • String ID:
                                    • API String ID: 1807457897-0
                                    • Opcode ID: d09072f4f46af09b02feb2577bec2bb04ecac87f146ac47bb7cf0994f5c98fa4
                                    • Instruction ID: 65396b371f4ae829b9f432e95f6c6d124c522a262dca4eb4a2d5e95a943aecd0
                                    • Opcode Fuzzy Hash: d09072f4f46af09b02feb2577bec2bb04ecac87f146ac47bb7cf0994f5c98fa4
                                    • Instruction Fuzzy Hash: 53517DB15042599BDB259F28CC84FEA7BBCEB65308F2405EDE59AC7142D3319E86DF20
                                    Function 00BF3960 Relevance: 1.6, APIs: 1, Instructions: 136fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,83C8296E), ref: 00BF398B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: DeleteFile
                                    • String ID:
                                    • API String ID: 4033686569-0
                                    • Opcode ID: 6e09dbd1f8b2f387b3c43b388094e72ce5f171000b5626c2728682a15c193bb2
                                    • Instruction ID: 394246326d054328a96cbea0208786cb21a8e26709a2f4d0939bcde6763b8831
                                    • Opcode Fuzzy Hash: 6e09dbd1f8b2f387b3c43b388094e72ce5f171000b5626c2728682a15c193bb2
                                    • Instruction Fuzzy Hash: 61412B71900618DFDB10CF59C880BADF7F4FF05B10F1082B9E955EB281D770AA048BA0
                                    Function 00BD3860 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BD3AD0: __Init_thread_footer.LIBCMT ref: 00BD3B46
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                    • __Init_thread_footer.LIBCMT ref: 00BD3940
                                      • Part of subcall function 00C670C8: EnterCriticalSection.KERNEL32(00D75CD8,?,?,00AD9F37,00D76904,00CE7320), ref: 00C670D2
                                      • Part of subcall function 00C670C8: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9F37,00D76904,00CE7320), ref: 00C67105
                                      • Part of subcall function 00C670C8: RtlWakeAllConditionVariable.NTDLL ref: 00C6717C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
                                    • String ID:
                                    • API String ID: 984842325-0
                                    • Opcode ID: 6386d237047fc99604f2a9409ca0c49fc5359ad429c24639ca3fc55c6cca70f6
                                    • Instruction ID: 10311e7a4861d5d2383a98781d0f20620ddbc210c09443ebbcc29cdcc3a16e81
                                    • Opcode Fuzzy Hash: 6386d237047fc99604f2a9409ca0c49fc5359ad429c24639ca3fc55c6cca70f6
                                    • Instruction Fuzzy Hash: D531C3B1508B409FDB54EF08EC86B4DB7E0F700B14F204AAAE45A87395F3F569848B65
                                    Function 00C10600 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00BF29F8,?,00000000,00000000,?,?), ref: 00C1061D
                                      • Part of subcall function 00AD9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                      • Part of subcall function 00C106F0: WaitForSingleObject.KERNEL32(?,000000FF,83C8296E,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00C10724
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AllocateCreateFileHeapObjectSingleWait
                                    • String ID:
                                    • API String ID: 1261966429-0
                                    • Opcode ID: ec2e4f746701a199060c0676efb32f0a7249a2dc5b864b2819d3c4f6d7fcf4e8
                                    • Instruction ID: 94aaa2af4087ec4cf2542e1e9e18daf7e088231afe5157a86e693ed2c49e0d3c
                                    • Opcode Fuzzy Hash: ec2e4f746701a199060c0676efb32f0a7249a2dc5b864b2819d3c4f6d7fcf4e8
                                    • Instruction Fuzzy Hash: C631F574204B009FD324DF28D888B5AB7E0FF89300F20895DF9AADB360D771AA91DB55
                                    Function 00C80040 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EDE7: RtlAllocateHeap.NTDLL(00000000,00000000,00C7E2B4,?,00C80055,?,00000000,?,00C707B5,00000000,00C7E2B4,?,?,?,?,00C7E0AE), ref: 00C7EE19
                                    • RtlReAllocateHeap.NTDLL(00000000,00000000,?,00C7E2B4,00000000,?,00C707B5,00000000,00C7E2B4,?,?,?,?,00C7E0AE,?,?), ref: 00C8009D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 9b0d38695a5675c6e5f169a6dffa6f10fc5d53769cc376e7eeeea0b3522a79c9
                                    • Instruction ID: 012d765aa92e313a725fbcded2e53d2467b244725be491621ae0b2bfdf513098
                                    • Opcode Fuzzy Hash: 9b0d38695a5675c6e5f169a6dffa6f10fc5d53769cc376e7eeeea0b3522a79c9
                                    • Instruction Fuzzy Hash: 20F04C321002146A8BB13A269C01F6F3B1A8F92775F344116F83896190DB74CD48A7A9
                                    Function 00BB8DC0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                    • __Init_thread_footer.LIBCMT ref: 00BB8E32
                                      • Part of subcall function 00C670C8: EnterCriticalSection.KERNEL32(00D75CD8,?,?,00AD9F37,00D76904,00CE7320), ref: 00C670D2
                                      • Part of subcall function 00C670C8: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9F37,00D76904,00CE7320), ref: 00C67105
                                      • Part of subcall function 00C670C8: RtlWakeAllConditionVariable.NTDLL ref: 00C6717C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID:
                                    • API String ID: 2296764815-0
                                    • Opcode ID: d7630e98c8b1f85f3a642b358fbff726168f339c44601603792953fb6ba13131
                                    • Instruction ID: a87554726c6c6cab60bd33428aacac666723bcf7e81e8aef82e7e402eeba0ee7
                                    • Opcode Fuzzy Hash: d7630e98c8b1f85f3a642b358fbff726168f339c44601603792953fb6ba13131
                                    • Instruction Fuzzy Hash: D201D4B1A08B84DBCB14CB58E843B5973A4E704724F504B79EC1DC37C0EB34A804D721
                                    Function 00BD3AD0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                      • Part of subcall function 00BD3B70: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00BD3BDE
                                      • Part of subcall function 00BD3B70: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00BD3C25
                                      • Part of subcall function 00BD3B70: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00BD3C44
                                      • Part of subcall function 00BD3B70: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00BD3C73
                                      • Part of subcall function 00BD3B70: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00BD3CE8
                                    • __Init_thread_footer.LIBCMT ref: 00BD3B46
                                      • Part of subcall function 00C670C8: EnterCriticalSection.KERNEL32(00D75CD8,?,?,00AD9F37,00D76904,00CE7320), ref: 00C670D2
                                      • Part of subcall function 00C670C8: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9F37,00D76904,00CE7320), ref: 00C67105
                                      • Part of subcall function 00C670C8: RtlWakeAllConditionVariable.NTDLL ref: 00C6717C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
                                    • String ID:
                                    • API String ID: 3563064969-0
                                    • Opcode ID: 14318ef079e3c525bf54a90518f926c3e6c4b5b295ade28c21a5008db460d76b
                                    • Instruction ID: 1e20ec798d606fff95cecd456caf8836be592be591a6096b2580375d9c4a2749
                                    • Opcode Fuzzy Hash: 14318ef079e3c525bf54a90518f926c3e6c4b5b295ade28c21a5008db460d76b
                                    • Instruction Fuzzy Hash: 8601A2B1A48604EFC720DB58DD42F19B7E4E704B20F104B7AE929877D1F735AA008776
                                    Function 00AD9AE0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C689AB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,-00000010,?,00000008,83C8296E), ref: 00C68A0B
                                    • RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionHeapRaise
                                    • String ID:
                                    • API String ID: 3789339297-0
                                    • Opcode ID: afcf5e421068b0edf7a053dc122cc8150b99c42229dd9b05168d5aa10de3bd6e
                                    • Instruction ID: 8fa365c3a7467715cff3bde1646e6348953d3cc919f6838736d5fcf6836f3dca
                                    • Opcode Fuzzy Hash: afcf5e421068b0edf7a053dc122cc8150b99c42229dd9b05168d5aa10de3bd6e
                                    • Instruction Fuzzy Hash: D2F0E231604248BFC701DF54DC01F5ABBA8EB08B00F008639F80582690DB35A800DA55
                                    Function 00C7EDE7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00C7E2B4,?,00C80055,?,00000000,?,00C707B5,00000000,00C7E2B4,?,?,?,?,00C7E0AE), ref: 00C7EE19
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 44e63e6124b8bc44a79c455a853983be566258dd65622a013a8d8f6a3bb81190
                                    • Instruction ID: fa739330cece8486b9e89529d97855e9869e8abc60a8ad430b7f4a3919c1ac82
                                    • Opcode Fuzzy Hash: 44e63e6124b8bc44a79c455a853983be566258dd65622a013a8d8f6a3bb81190
                                    • Instruction Fuzzy Hash: 59E0ED332006215AEB312A669C05B5B365EEF0D3A0F24C9A1ECAC9A1D0EB70DE4085E2
                                    Function 00AD9B50 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(?,00000000,?,83C8296E,?,Function_001BE9A0,000000FF), ref: 00AD9B7F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: 48556161684d5101bdbf9252191f07818bd5137c874c506bc71a71873c229174
                                    • Instruction ID: f31aaa25034f569fa34bdc61103bc2672364435fd9354ae40608f94c2a66c917
                                    • Opcode Fuzzy Hash: 48556161684d5101bdbf9252191f07818bd5137c874c506bc71a71873c229174
                                    • Instruction Fuzzy Hash: 01E01272644648EFC711CF45EC41F56F7A8E749B10F10867AFC15D7790D775E8009A64
                                    Function 00C7E21C Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: H_prolog3
                                    • String ID:
                                    • API String ID: 431132790-0
                                    • Opcode ID: 4cb9e83d014ccb0b869cd454d62203f8d84a18fc7d2a6ecc848fecdec64f66b9
                                    • Instruction ID: 276f16825e494a0c59d08d3d861dc1a7b5e5bdd6efc184144dfa40316b59560d
                                    • Opcode Fuzzy Hash: 4cb9e83d014ccb0b869cd454d62203f8d84a18fc7d2a6ecc848fecdec64f66b9
                                    • Instruction Fuzzy Hash: 28E09AB2C4020E9EDB11EFE4C492BEFB7BCAF04314F504566E245E6141EA7457459BA1
                                    Function 00C63868 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00C6380F
                                      • Part of subcall function 00C642D7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C6434A
                                      • Part of subcall function 00C642D7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C6435B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 70a6e2bbe2124a585df8aae87b378c460b75534dc4a991e884a17f4efa5e770a
                                    • Instruction ID: 0555800bfcc8fa5deda449afca5648b3fd2b6b9b9f126a97764f4a647f6628e0
                                    • Opcode Fuzzy Hash: 70a6e2bbe2124a585df8aae87b378c460b75534dc4a991e884a17f4efa5e770a
                                    • Instruction Fuzzy Hash: 71B012822781806D313862096C52C3A068CC0C8B20330821BF004C5180F6C40C842033
                                    Function 00AD8720 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 26104157c11082a3e8e5707a7185c8f6e4a2ca3ac6111686cfad0ef215053c52
                                    • Instruction ID: 5cbecf1b02a8dc7d52f094b93ea38a8262a8bc32a34c44c16eee686dbcc7230a
                                    • Opcode Fuzzy Hash: 26104157c11082a3e8e5707a7185c8f6e4a2ca3ac6111686cfad0ef215053c52
                                    • Instruction Fuzzy Hash: EEC02B3020131047C7304F18F94878333DC9F08710F00480EB41AD7300CB74DC008654

                                    Non-executed Functions

                                    Function 00AD3010 Relevance: 170.0, Strings: 134, Instructions: 2486COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                    • API String ID: 0-2910470256
                                    • Opcode ID: 2917d9340402e881cad30a90a1d39f57ac108f117f686e67a8e8ee38098a8e7a
                                    • Instruction ID: 4a18488d7366b38a2136612ff15d566300e2b1098c7eddc806a375645ae95a05
                                    • Opcode Fuzzy Hash: 2917d9340402e881cad30a90a1d39f57ac108f117f686e67a8e8ee38098a8e7a
                                    • Instruction Fuzzy Hash: A93307246453C8E9D304E7F49A1676F7D529B62B04F20835DF1596B3D2EFF80A8887B2
                                    Function 00AD3E25 Relevance: 156.9, Strings: 124, Instructions: 1926COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$BindImage$Complus$Component_$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                    • API String ID: 0-1959677801
                                    • Opcode ID: bd57ece0d3aa04ad71cf18f53e619705eec50411c86e583579b58f3f0ed1de81
                                    • Instruction ID: f74ae312a7fdfa2e159acb2ace6296e4fad0877f48b056a50d1b120669f46c9e
                                    • Opcode Fuzzy Hash: bd57ece0d3aa04ad71cf18f53e619705eec50411c86e583579b58f3f0ed1de81
                                    • Instruction Fuzzy Hash: AB0307146853CCF9C705A3F85A167AF7D124B72B10F248399B2962B7D6DEE80B489373
                                    Function 00AF44A0 Relevance: 48.2, APIs: 16, Strings: 11, Instructions: 937memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantClear.OLEAUT32(?), ref: 00AF44FA
                                    • VariantClear.OLEAUT32(?), ref: 00AF452C
                                    • VariantClear.OLEAUT32(?), ref: 00AF464F
                                    • VariantClear.OLEAUT32(?), ref: 00AF467E
                                    • SysFreeString.OLEAUT32(00000000), ref: 00AF4685
                                    • SysAllocString.OLEAUT32(00000000), ref: 00AF46D8
                                    • VariantClear.OLEAUT32(?), ref: 00AF4766
                                    • VariantClear.OLEAUT32(?), ref: 00AF4798
                                    • VariantClear.OLEAUT32(?), ref: 00AF48F9
                                    • VariantClear.OLEAUT32(?), ref: 00AF492C
                                    • SysFreeString.OLEAUT32(00000000), ref: 00AF4937
                                    • SysAllocString.OLEAUT32(00000000), ref: 00AF497A
                                    • VariantClear.OLEAUT32(?), ref: 00AF4A2F
                                    • VariantClear.OLEAUT32(?), ref: 00AF4A62
                                    • SysFreeString.OLEAUT32(00000000), ref: 00AF4A70
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ClearVariant$String$Free$Alloc
                                    • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                    • API String ID: 4112810936-3153392536
                                    • Opcode ID: aba466a711dd8ba06c4ebdd623f68c7bca2cd2e30e8145bf3c4b433415e54323
                                    • Instruction ID: dee0d280d37996d13e0f2da2a77b8b986806e349221c70a7e23d46e55cec6171
                                    • Opcode Fuzzy Hash: aba466a711dd8ba06c4ebdd623f68c7bca2cd2e30e8145bf3c4b433415e54323
                                    • Instruction Fuzzy Hash: 3C925771D0025CDFDB20DFA4C944BDEBBB4BF48314F10829AE519A7281EB74AA85CF95
                                    Function 00AF3890 Relevance: 33.7, APIs: 22, Instructions: 727memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantClear.OLEAUT32(?), ref: 00AF38EA
                                    • VariantClear.OLEAUT32(?), ref: 00AF391C
                                    • VariantClear.OLEAUT32(?), ref: 00AF3A16
                                    • VariantClear.OLEAUT32(?), ref: 00AF3A45
                                    • SysFreeString.OLEAUT32(00000000), ref: 00AF3A4C
                                    • SysAllocString.OLEAUT32(00000000), ref: 00AF3A93
                                    • VariantClear.OLEAUT32(?), ref: 00AF3B17
                                    • VariantClear.OLEAUT32(?), ref: 00AF3B49
                                    • VariantClear.OLEAUT32(?), ref: 00AF3C49
                                    • VariantClear.OLEAUT32(?), ref: 00AF3C7C
                                    • SysFreeString.OLEAUT32(00000000), ref: 00AF3C87
                                    • SysAllocString.OLEAUT32(00000000), ref: 00AF3CCD
                                    • VariantClear.OLEAUT32(?), ref: 00AF3D4A
                                    • VariantClear.OLEAUT32(?), ref: 00AF3D7C
                                    • VariantClear.OLEAUT32(?), ref: 00AF3E9C
                                    • VariantClear.OLEAUT32(?), ref: 00AF3ECB
                                    • SysFreeString.OLEAUT32(00000000), ref: 00AF3ED2
                                    • SysAllocString.OLEAUT32(00000000), ref: 00AF3F25
                                    • VariantClear.OLEAUT32(?), ref: 00AF3FAA
                                    • VariantClear.OLEAUT32(?), ref: 00AF3FDC
                                    • VariantClear.OLEAUT32(?), ref: 00AF40CD
                                    • VariantClear.OLEAUT32(?), ref: 00AF40FA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ClearVariant$String$AllocFree
                                    • String ID:
                                    • API String ID: 1305860026-0
                                    • Opcode ID: 2b57243935c16e8e4a93d46075221e3e5b753b3f247f35a15cab3b8c7fd0adf2
                                    • Instruction ID: a6a80272bec93a57200923edf473cb754dfef7ce3469bb0a8e0d8726d22a2af4
                                    • Opcode Fuzzy Hash: 2b57243935c16e8e4a93d46075221e3e5b753b3f247f35a15cab3b8c7fd0adf2
                                    • Instruction Fuzzy Hash: 2242697190064CDFCF10DFA8C948BEEBBB4EF48310F148269E505EB291E7799A45CBA5
                                    Function 00ADF1A0 Relevance: 22.9, APIs: 15, Instructions: 376memorynativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00ADF600: EnterCriticalSection.KERNEL32(00D77250,83C8296E,00000000,?,?,?,?,?,?,00ADEE60,00C907AD,000000FF), ref: 00ADF63D
                                      • Part of subcall function 00ADF600: LoadCursorW.USER32(00000000,00007F00), ref: 00ADF6B8
                                      • Part of subcall function 00ADF600: LoadCursorW.USER32(00000000,00007F00), ref: 00ADF75E
                                    • SysFreeString.OLEAUT32(00000000), ref: 00ADF243
                                    • SysAllocString.OLEAUT32(00000000), ref: 00ADF274
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00ADF34B
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00ADF35B
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ADF366
                                    • NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 00ADF374
                                    • GetWindowLongW.USER32(?,000000EB), ref: 00ADF382
                                    • SetWindowTextW.USER32(?,00CF438C), ref: 00ADF421
                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00ADF458
                                    • GlobalLock.KERNEL32(00000000), ref: 00ADF466
                                    • GlobalUnlock.KERNEL32(?), ref: 00ADF48A
                                    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00ADF515
                                    • SysFreeString.OLEAUT32(00000000), ref: 00ADF52E
                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 00ADF575
                                    • SysFreeString.OLEAUT32(00000000), ref: 00ADF595
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
                                    • String ID:
                                    • API String ID: 4180125975-0
                                    • Opcode ID: 933e3dfb62942a5dcb25688ad940ab817c6bd56c2cbc36c3954d974a69a1b499
                                    • Instruction ID: 32d764f73dc42ac2efde6170996ebd4a7efc3082dea49bed8e691a79dedacff0
                                    • Opcode Fuzzy Hash: 933e3dfb62942a5dcb25688ad940ab817c6bd56c2cbc36c3954d974a69a1b499
                                    • Instruction Fuzzy Hash: 90D1CE71900609EFDB10DFA4DD48BAFBBB8EF45314F14416AE817AB390D7759A40CBA1
                                    Function 00AE8DF0 Relevance: 21.6, APIs: 14, Instructions: 608COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EB), ref: 00AE8EA3
                                    • ShowWindow.USER32(00000000,?), ref: 00AE8EC2
                                    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00AE8ED0
                                    • GetWindowRect.USER32(00000000,?), ref: 00AE8EE7
                                    • ShowWindow.USER32(00000000,?), ref: 00AE8F08
                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 00AE8F1F
                                      • Part of subcall function 00AE2A50: RaiseException.KERNEL32(83C8296E,83C8296E,00000000,00000000,00C1197B,C000008C,00000001,83C8296E), ref: 00AE2A5C
                                    • ShowWindow.USER32(?,?), ref: 00AE905D
                                    • GetWindowLongW.USER32(?,000000EB), ref: 00AE908C
                                    • ShowWindow.USER32(?,?), ref: 00AE90A9
                                    • GetWindowRect.USER32(?,?), ref: 00AE90CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$LongShow$Rect$ExceptionRaise
                                    • String ID:
                                    • API String ID: 777556035-0
                                    • Opcode ID: 44cbfaf79012e7a8c8484a7fca7c8ee13d75ebeba5f5142bbcb1260ecb4aa501
                                    • Instruction ID: 19b153363e977df8531f1d54c1ff4aac3a91f5237147e703c23a20452ba1671b
                                    • Opcode Fuzzy Hash: 44cbfaf79012e7a8c8484a7fca7c8ee13d75ebeba5f5142bbcb1260ecb4aa501
                                    • Instruction Fuzzy Hash: C4423671A047489FCB24CFA9D884A9EBBF5FF88304F14851DE85AEB260D770A985CF51
                                    Function 00BDCF00 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 419fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 00BDD2A2
                                    • FindClose.KERNEL32(00000000), ref: 00BDD2D0
                                    • FindClose.KERNEL32(00000000), ref: 00BDD359
                                    Strings
                                    • No acceptable version found. Operating System not supported., xrefs: 00BDD73B
                                    • No acceptable version found. It is already downloaded and it will be installed., xrefs: 00BDD742
                                    • Not selected for install., xrefs: 00BDD750
                                    • No acceptable version found. It must be downloaded., xrefs: 00BDD72D
                                    • No acceptable version found. It must be downloaded manually from a site., xrefs: 00BDD734
                                    • No acceptable version found., xrefs: 00BDD749
                                    • An acceptable version was found., xrefs: 00BDD71F
                                    • No acceptable version found. It must be installed from package., xrefs: 00BDD726
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
                                    • String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
                                    • API String ID: 544434140-749633484
                                    • Opcode ID: bc7824790fd75c033d50961dfe3a93a0f046234e9a5d5edbda14a178f2459f87
                                    • Instruction ID: 79f8c886ea207d6960a72a933dbe06fe69c9d06cc0788f898ef981f669ae2ae6
                                    • Opcode Fuzzy Hash: bc7824790fd75c033d50961dfe3a93a0f046234e9a5d5edbda14a178f2459f87
                                    • Instruction Fuzzy Hash: 8BF16C70A006068FDB50DF68C9487AEFBF1FF45310F1486AAD499AB391EB34DA45CB91
                                    Function 00ADEBF0 Relevance: 16.8, APIs: 11, Instructions: 296nativememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(80070216,000000EC), ref: 00ADECDB
                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 00ADECEB
                                    • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00ADECF6
                                    • NtdllDefWindowProc_W.NTDLL(00000000,?,00000001,80070216,?,00000000,?,?,80070216), ref: 00ADED04
                                    • GetWindowLongW.USER32(00000000,000000EB), ref: 00ADED12
                                    • SetWindowTextW.USER32(00000000,00CF438C), ref: 00ADEDB1
                                    • GlobalAlloc.KERNEL32(00000042,00000000,?,00000000), ref: 00ADEDE8
                                    • GlobalLock.KERNEL32(00000000), ref: 00ADEDF6
                                    • GlobalUnlock.KERNEL32(?), ref: 00ADEE1A
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00ADEE7F
                                    • NtdllDefWindowProc_W.NTDLL(00000000,?,83C8296E,00000000), ref: 00ADEED1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
                                    • String ID:
                                    • API String ID: 3555041256-0
                                    • Opcode ID: 8a59e7a35dae926aaaccd686c41945f5b9d856add4e0fb7539032c50f88fd1a4
                                    • Instruction ID: 6ebc452de91eac1fe81caad36557107d65c5cea365da2db0cf92f60c973b8bef
                                    • Opcode Fuzzy Hash: 8a59e7a35dae926aaaccd686c41945f5b9d856add4e0fb7539032c50f88fd1a4
                                    • Instruction Fuzzy Hash: E0A1DD71901205EBDB10EF68DC48BAFBBB9EF44710F24461AF816EB391DB759940CBA1
                                    Function 00AF62B0 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 545windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00AF6386
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                    • __Init_thread_footer.LIBCMT ref: 00AF634F
                                      • Part of subcall function 00C670C8: EnterCriticalSection.KERNEL32(00D75CD8,?,?,00AD9F37,00D76904,00CE7320), ref: 00C670D2
                                      • Part of subcall function 00C670C8: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9F37,00D76904,00CE7320), ref: 00C67105
                                      • Part of subcall function 00C670C8: RtlWakeAllConditionVariable.NTDLL ref: 00C6717C
                                    • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00AF677F
                                    • SendMessageW.USER32(?,0000102B,?,?), ref: 00AF67C8
                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 00AF684E
                                      • Part of subcall function 00BC7EE0: __cftof.LIBCMT ref: 00BC7F2F
                                    • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00AF6994
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__cftof
                                    • String ID: AiFeatIco$Icon
                                    • API String ID: 2303580663-1280411655
                                    • Opcode ID: 3bbeae6a078ce275b9729579e4101a30139c7bf6fb1637c22be59b692df1f487
                                    • Instruction ID: ca36b7eaa869f6947ae687b252201f7a90aac3eb66815e29d6e3a622423da65b
                                    • Opcode Fuzzy Hash: 3bbeae6a078ce275b9729579e4101a30139c7bf6fb1637c22be59b692df1f487
                                    • Instruction Fuzzy Hash: BA328B71900248DFDF14DFA8C985BEDBBB1EF58304F144169E909AB392EB706A44CBA1
                                    Function 00BFB500 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 394COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • _wcschr.LIBVCRUNTIME ref: 00BFB5AC
                                    • _wcsrchr.LIBVCRUNTIME ref: 00BFB68B
                                    • _wcsrchr.LIBVCRUNTIME ref: 00BFB6B5
                                    • GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00BFB710
                                    • GetDriveTypeW.KERNEL32(?), ref: 00BFB72A
                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00BFB927
                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00BFB9B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Wow64$DriveInit_thread_footerRedirection_wcsrchr$DisableHeapLogicalProcessRevertStringsType_wcschr
                                    • String ID: ]%!
                                    • API String ID: 1522321474-1069524040
                                    • Opcode ID: ef5b5080fce79dde5eafb8646d73d1879627a67af11dafa911b97da02849a649
                                    • Instruction ID: 0feae253b17369195bda5fe8029890e06d3fdf5af75a9e14adf72b2fe02101d6
                                    • Opcode Fuzzy Hash: ef5b5080fce79dde5eafb8646d73d1879627a67af11dafa911b97da02849a649
                                    • Instruction Fuzzy Hash: BBF19E71900659DBDB24DB68CD84BADF7F4EF44310F1482E9E61AA7291DB709E88CF90
                                    Function 00B2FAD0 Relevance: 12.3, APIs: 8, Instructions: 289windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000432,00000000,?), ref: 00B2FD0C
                                    • SendMessageW.USER32(00000000,00000439,00000000,?), ref: 00B2FD1C
                                    • SendMessageW.USER32(00000000,00000421,?,?), ref: 00B2FD2E
                                    • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00B2FD3F
                                    • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00B2FD52
                                    • GetWindowRect.USER32(?,?), ref: 00B2FD80
                                      • Part of subcall function 00B31310: CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B3136F
                                      • Part of subcall function 00B31310: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00B2FEE9,00000000,83C8296E,?,?), ref: 00B31388
                                      • Part of subcall function 00AE0E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00AE0E96
                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00B2FDE2
                                    • SendMessageW.USER32(00000000,00000411,00000001,?), ref: 00B2FDF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateLongRect
                                    • String ID:
                                    • API String ID: 1954517558-0
                                    • Opcode ID: d79631a48bd7008c1e40824cf44c965377ebe5f79608bf9d3041c050170f4716
                                    • Instruction ID: fa58ec08ffe1f72723b94f3fc0cb34567bc8406472a3394162ed1970287807a1
                                    • Opcode Fuzzy Hash: d79631a48bd7008c1e40824cf44c965377ebe5f79608bf9d3041c050170f4716
                                    • Instruction Fuzzy Hash: 11B1F9B1A00219AFDB04CF69D981AEE7BF5FB48300F40862AFD19E7290D774E954CB90
                                    Function 00BB3460 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 313windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00BB3690
                                    • SendMessageW.USER32(?,00000443,00000000), ref: 00BB36FA
                                    • MulDiv.KERNEL32(?,00000000), ref: 00BB3731
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow
                                    • String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                    • API String ID: 701072176-2319862951
                                    • Opcode ID: b1f8d44fa7dde5c9a2f24a5c6c6d330ed186a118012dc3e0d96a91818eb5866f
                                    • Instruction ID: 1ffcb5c8095307702f2cc96db91bca64ea6b74498577a0cdc6e81c99cce65a41
                                    • Opcode Fuzzy Hash: b1f8d44fa7dde5c9a2f24a5c6c6d330ed186a118012dc3e0d96a91818eb5866f
                                    • Instruction Fuzzy Hash: A2C1BE31A00705AFEB14CF64CC55BEEB7F1EB49700F008299E55AA73D1DB74AA45CBA1
                                    Function 00C84D50 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EA06: GetLastError.KERNEL32(?,00000008,00C80623,?,00B0254D,00BD1180,?,00000008), ref: 00C7EA0A
                                      • Part of subcall function 00C7EA06: SetLastError.KERNEL32(00000000), ref: 00C7EAAC
                                    • GetACP.KERNEL32(?,?,?,?,?,?,00C7A53E,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00C84E11
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00C7A53E,?,?,?,00000055,?,-00000050,?,?), ref: 00C84E3C
                                    • _wcschr.LIBVCRUNTIME ref: 00C84ED0
                                    • _wcschr.LIBVCRUNTIME ref: 00C84EDE
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00C84F9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                    • String ID: utf8
                                    • API String ID: 4147378913-905460609
                                    • Opcode ID: 02ed6f6d904bbc72bc40bd3295d6aba01ee4c259b0763167dca73cb99769f40a
                                    • Instruction ID: 7553d0ee611d8299faafa650352fd3f921afe4b3dbe7973099c115f10d6ce2be
                                    • Opcode Fuzzy Hash: 02ed6f6d904bbc72bc40bd3295d6aba01ee4c259b0763167dca73cb99769f40a
                                    • Instruction Fuzzy Hash: F571F771600207ABDB28BBB5CC46BBA73E9EF45708F14402AFA15DB181FB70DA41D768
                                    Function 00C89D65 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: c65986403cf7fbc2fe4172a04489f7b417b8c8a9c6f613794c653f41515fb442
                                    • Instruction ID: c1bbb15d7a95000e291ce761fb74b16e2a3a3ab2e1306da64ef6e9ea3f53ac72
                                    • Opcode Fuzzy Hash: c65986403cf7fbc2fe4172a04489f7b417b8c8a9c6f613794c653f41515fb442
                                    • Instruction Fuzzy Hash: EDD23A71E092288FEB65DE28CD407EAB7B5EB45309F1441EAD41DE7240EB78AE81CF45
                                    Function 00BD4A10 Relevance: 9.3, APIs: 6, Instructions: 321fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsrchr.LIBVCRUNTIME ref: 00BD4A68
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00BD4B68
                                    • FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 00BD4C05
                                    • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00BD4C2B
                                    • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00BD4C75
                                    • _wcsrchr.LIBVCRUNTIME ref: 00BD4CF9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirstInit_thread_footer_wcsrchr$HeapProcess
                                    • String ID:
                                    • API String ID: 2593539128-0
                                    • Opcode ID: ce005a9488932478458d5bac4559aadccf3ceb8686a906937150c4fcf335eda6
                                    • Instruction ID: 472693d3e56a740ca086f120e37effd1075d673090654031182ce147bd256a08
                                    • Opcode Fuzzy Hash: ce005a9488932478458d5bac4559aadccf3ceb8686a906937150c4fcf335eda6
                                    • Instruction Fuzzy Hash: 9AA1C071A002499BDB10DF68DC49BAEFBF4FF84324F14866AE815D7390EBB59904CB90
                                    Function 00C108D0 Relevance: 9.2, APIs: 6, Instructions: 203fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,83C8296E,?,00000000,00000000), ref: 00C109A1
                                    • FindNextFileW.KERNEL32(?,00000000), ref: 00C109BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: FileFind$FirstNext
                                    • String ID:
                                    • API String ID: 1690352074-0
                                    • Opcode ID: 70f87a9c45048d16c7015cb5e145fc415ecade3b3aa05c3501c7d686a66fb7f7
                                    • Instruction ID: 0dd1bf68139089ac06b4182385ac2a9b3380102a2254c60671777e0b50f81115
                                    • Opcode Fuzzy Hash: 70f87a9c45048d16c7015cb5e145fc415ecade3b3aa05c3501c7d686a66fb7f7
                                    • Instruction Fuzzy Hash: 4E719D71900289DFDB10DFA9C988BDEBBB4FF09314F248169E815EB291D7709E44CB60
                                    Function 00C6674C Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000C,00C66668,00000000,?,00C66800,00000000,?,?,00AE0C24,?), ref: 00C6674E
                                    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,00AE0C24,?), ref: 00C66775
                                    • HeapAlloc.KERNEL32(00000000,?,?,00AE0C24,?), ref: 00C6677C
                                    • InitializeSListHead.KERNEL32(00000000,?,?,00AE0C24,?), ref: 00C66789
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00AE0C24,?), ref: 00C6679E
                                    • HeapFree.KERNEL32(00000000,?,?,00AE0C24,?), ref: 00C667A5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                    • String ID:
                                    • API String ID: 1475849761-0
                                    • Opcode ID: 0ca8cfe96a362855135dbcb9068fb35f49f5d1d5be46897550c8536a5b2b8184
                                    • Instruction ID: fe2210d9ad67c73cadab1c5b4d4fc98b3455e33aa5de9993a3d090d5179abbd2
                                    • Opcode Fuzzy Hash: 0ca8cfe96a362855135dbcb9068fb35f49f5d1d5be46897550c8536a5b2b8184
                                    • Instruction Fuzzy Hash: 3AF062716007519FEB219F79EC88B5A77F8FB88B16F000428FA56D7350EF70D4418A61
                                    Function 00C854DF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(?,2000000B,00C857FD,00000002,00000000,?,?,?,00C857FD,?,00000000), ref: 00C85578
                                    • GetLocaleInfoW.KERNEL32(?,20001004,00C857FD,00000002,00000000,?,?,?,00C857FD,?,00000000), ref: 00C855A1
                                    • GetACP.KERNEL32(?,?,00C857FD,?,00000000), ref: 00C855B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: e46cd7f84898ffeea104aa6aa7c8485a34fdab8f801e9dacfac720b15c9e8463
                                    • Instruction ID: 751b5d8a95373e342e3af8a15484ac539a902852d66d7ec301ebfd3b963bd724
                                    • Opcode Fuzzy Hash: e46cd7f84898ffeea104aa6aa7c8485a34fdab8f801e9dacfac720b15c9e8463
                                    • Instruction Fuzzy Hash: BE212872A00901AADB34AF55C905B9B73A7EF44B58B568828E91ACB100F7B2DF00C348
                                    Function 00C856B4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EA06: GetLastError.KERNEL32(?,00000008,00C80623,?,00B0254D,00BD1180,?,00000008), ref: 00C7EA0A
                                      • Part of subcall function 00C7EA06: SetLastError.KERNEL32(00000000), ref: 00C7EAAC
                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00C857C0
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00C85809
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00C85818
                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00C85860
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00C8587F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                    • String ID:
                                    • API String ID: 415426439-0
                                    • Opcode ID: 7efa422619cb47c6c936fe2f1e155174b82e38e48ca5f0f41305ef81c3d4af6d
                                    • Instruction ID: 9dc992f1e7f59934d179a24b639ebd7e0068a02fb66d5bc31da6238440f6f892
                                    • Opcode Fuzzy Hash: 7efa422619cb47c6c936fe2f1e155174b82e38e48ca5f0f41305ef81c3d4af6d
                                    • Instruction Fuzzy Hash: ED518271A10A0AEBDF10EFA5CC81BBE77B8FF44704F158469E515EB150E7B09A00DB65
                                    Function 00C7EF3A Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: 6ae349831aba88284cfda338ffe51b0bf1533f9bc1b9d8db91a0d059f7c83b13
                                    • Instruction ID: 9c3d8a78f81ebc76c89639709082ac775116e68af799e9a3f49d4c057552b83c
                                    • Opcode Fuzzy Hash: 6ae349831aba88284cfda338ffe51b0bf1533f9bc1b9d8db91a0d059f7c83b13
                                    • Instruction Fuzzy Hash: D5B12532904245DFDB158F68C8C1BEEBBA5EF59314F14C17EE829AB342D2759E02C7A0
                                    Function 00BFC530 Relevance: 6.2, APIs: 4, Instructions: 211COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3ff1fe3c3ac909ddbadb813ba4140dffc780c0b5c23e41c1c9784ee7899aac9b
                                    • Instruction ID: c629ffcdd098a4a29f05f89fa51b691c9d89fa99362c7e8c6858f73b2744ad7b
                                    • Opcode Fuzzy Hash: 3ff1fe3c3ac909ddbadb813ba4140dffc780c0b5c23e41c1c9784ee7899aac9b
                                    • Instruction Fuzzy Hash: D881BD70901218DFDB60DF28CD89BA9BBF4EF44314F1482D9E519AB292DB709E84CF91
                                    Function 00B6AD00 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceW.KERNEL32(00000000,?,00000017,83C8296E,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00B6AD49
                                    • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00B6AD58
                                    • LockResource.KERNEL32(00000000,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00B6AD63
                                    • SizeofResource.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00B6AD74
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID:
                                    • API String ID: 3473537107-0
                                    • Opcode ID: f668f0da235962b3048f8dfe7826290d9b2d2ab156adb844738c5dc11e805dcd
                                    • Instruction ID: 50281007215e743e865240822db82f8b35e05e06deb306422b18a4f9b3910318
                                    • Opcode Fuzzy Hash: f668f0da235962b3048f8dfe7826290d9b2d2ab156adb844738c5dc11e805dcd
                                    • Instruction Fuzzy Hash: 5B31B171D05744ABDB209F74DC45BAFB7F8EB58710F104279E815A7681EB34AA04CBA2
                                    Function 00B30D5D Relevance: 6.1, APIs: 4, Instructions: 80nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00B30DB5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B30DD3
                                    • NtdllDefWindowProc_W.NTDLL(?,00000086,?,00000000), ref: 00B30DE5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B30DF7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$NtdllProc_
                                    • String ID:
                                    • API String ID: 3674618424-0
                                    • Opcode ID: 49ed94b78883ee76c6151734986ea79401671899d78df604e8abad552650236e
                                    • Instruction ID: 2b2fc43e6140ebcf4a2dc313c7fb92af9166265a9286b691d11683aeb0bd0f9a
                                    • Opcode Fuzzy Hash: 49ed94b78883ee76c6151734986ea79401671899d78df604e8abad552650236e
                                    • Instruction Fuzzy Hash: 1F31A930908319AFDB10CFA8DC84B5DBBF1FF45320F20429AE815AB3A1DBB1A940CB50
                                    Function 00B30C28 Relevance: 6.0, APIs: 4, Instructions: 50nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00B30C40
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B30C5E
                                    • NtdllDefWindowProc_W.NTDLL(?,0000000C,?,?,?,000000F0,00000000,?,000000F0), ref: 00B30C71
                                    • SetWindowLongW.USER32(FFFFFFFF,000000F0,00000000), ref: 00B30C89
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$NtdllProc_
                                    • String ID:
                                    • API String ID: 3674618424-0
                                    • Opcode ID: 3376ec5ff223a30320f938f4c4a4c47a543de7432e6bcc89c3607cc02636c3a9
                                    • Instruction ID: 9a84f399a595f541cfcd0a3a0ede6613d3a99782b074c4df20756543e6fec35b
                                    • Opcode Fuzzy Hash: 3376ec5ff223a30320f938f4c4a4c47a543de7432e6bcc89c3607cc02636c3a9
                                    • Instruction Fuzzy Hash: 39115E72904219EFDF109F98DC45A5DBBB1FB44320F21036AE825A33E0DB715D50DB50
                                    Function 00B30C9E Relevance: 6.0, APIs: 4, Instructions: 48nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00B30CB5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B30CD3
                                    • NtdllDefWindowProc_W.NTDLL(?,00000080,?,?,?,000000F0,00000000,?,000000F0), ref: 00B30CE9
                                    • SetWindowLongW.USER32(FFFFFFFF,000000F0,00000000), ref: 00B30D01
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$NtdllProc_
                                    • String ID:
                                    • API String ID: 3674618424-0
                                    • Opcode ID: be93e193ae9f56ae602797528d7b509bb9db3b7127ab2762c2c35d8056c55931
                                    • Instruction ID: 7a74e729faf9093f6245b56c9bc4220dc2e2b3280059cf29ffb7944405876c83
                                    • Opcode Fuzzy Hash: be93e193ae9f56ae602797528d7b509bb9db3b7127ab2762c2c35d8056c55931
                                    • Instruction Fuzzy Hash: FC113C72904219EFDF119F98DC55A9DBBB1FB44320F20436AF869A33E0DB725950DB50
                                    Function 00BFC930 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 00BFC9EC
                                    • FindClose.KERNEL32(00000000), ref: 00BFCB37
                                      • Part of subcall function 00AD9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Find$AllocateCloseFileFirstHeap
                                    • String ID: %d.%d.%d.%d
                                    • API String ID: 1673784098-3491811756
                                    • Opcode ID: 8f80e90fc4f4198ef1cd83adbc579545aa478a0c54989d03d2d16f93ecb92634
                                    • Instruction ID: 0d48a2ec45725ff9c83d736e712eb2d8f3a1dac943b846286ae1a85702377023
                                    • Opcode Fuzzy Hash: 8f80e90fc4f4198ef1cd83adbc579545aa478a0c54989d03d2d16f93ecb92634
                                    • Instruction Fuzzy Hash: F4618E7490521DDFDF20DF28C949BAEBBB4EF44314F1082D9E519AB291DB359A88CF90
                                    Function 00AEE540 Relevance: 5.3, Strings: 4, Instructions: 346COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                    • API String ID: 0-932585912
                                    • Opcode ID: 66f829f50f35ff961f0992e0e868d15a6f1c3cfe5b6e2c11f2d34f145bb80eee
                                    • Instruction ID: 0fb2d8bb135c5b1cc3dd45f220d470773319d2a607aecfa43afbbdf4e9685cc0
                                    • Opcode Fuzzy Hash: 66f829f50f35ff961f0992e0e868d15a6f1c3cfe5b6e2c11f2d34f145bb80eee
                                    • Instruction Fuzzy Hash: B9D1B170D00268DFDB04CFA9C944BADBBF1FF45304F508269E455AB386D778AA09DBA1
                                    Function 00C6411D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • VirtualQuery.KERNEL32(80000000,00C64062,0000001C,00C64257,00000000,?,?,?,?,?,?,?,00C64062,00000004,00D758EC,00C642E7), ref: 00C6412E
                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00C64062,00000004,00D758EC,00C642E7), ref: 00C64149
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: InfoQuerySystemVirtual
                                    • String ID: D
                                    • API String ID: 401686933-2746444292
                                    • Opcode ID: 3fe31f1b16f92e9792461c596e389ec9a915d64adb13a421623e9b38eebc5276
                                    • Instruction ID: 1d2565557f36ed27e07e03ca2b16bbccd33c4c52d7fc344368eaf257fc52a270
                                    • Opcode Fuzzy Hash: 3fe31f1b16f92e9792461c596e389ec9a915d64adb13a421623e9b38eebc5276
                                    • Instruction Fuzzy Hash: 2B012B32600109ABCB28DE29DC45BDE7BBEEFD5334F0DC220ED69DB250D634D9418680
                                    Function 00C66437 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AE3730: InitializeCriticalSectionAndSpinCount.KERNEL32(00D75C5C,00000000,83C8296E,00AD0000,Function_001BE9A0,000000FF,?,00C66466,?,?,?,00AD6508), ref: 00AE3755
                                      • Part of subcall function 00AE3730: GetLastError.KERNEL32(?,00C66466,?,?,?,00AD6508), ref: 00AE375F
                                    • IsDebuggerPresent.KERNEL32(?,?,?,00AD6508), ref: 00C6646A
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AD6508), ref: 00C66479
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C66474
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 450123788-631824599
                                    • Opcode ID: fc5cc79e85db2549ca0f3b7df94a74c5accf26d23c5af5d43c6891a77cbdaa00
                                    • Instruction ID: 0da5a979ebbac9aae1accbca9e8d6bb36e2af367bdd08395d9c9742295a51074
                                    • Opcode Fuzzy Hash: fc5cc79e85db2549ca0f3b7df94a74c5accf26d23c5af5d43c6891a77cbdaa00
                                    • Instruction Fuzzy Hash: AAE06DB02017918FD770DF26E988756BAE4AF04704F00885DE596C6740EBB0E5448BA2
                                    Function 00C85163 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EA06: GetLastError.KERNEL32(?,00000008,00C80623,?,00B0254D,00BD1180,?,00000008), ref: 00C7EA0A
                                      • Part of subcall function 00C7EA06: SetLastError.KERNEL32(00000000), ref: 00C7EAAC
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C851B7
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C85201
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C852C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: InfoLocale$ErrorLast
                                    • String ID:
                                    • API String ID: 661929714-0
                                    • Opcode ID: e5b361470002e5e8e80de4f03c4b8cbfda98c89fd57a22f8e298c64d3e039522
                                    • Instruction ID: 1f0f0b2d7addc8fae1636bae753d414c03532696eb794c48780e74b64c331526
                                    • Opcode Fuzzy Hash: e5b361470002e5e8e80de4f03c4b8cbfda98c89fd57a22f8e298c64d3e039522
                                    • Instruction Fuzzy Hash: 0F61C6B1510A179FDB28EF28CC82BBA77A8FF04344F144179ED15C6291EBB4EA41DB54
                                    Function 00BB8230 Relevance: 4.7, APIs: 3, Instructions: 193fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,83C8296E,?), ref: 00BB82FC
                                    • FindNextFileW.KERNEL32(000000FF,00000010,?,83C8296E,?), ref: 00BB8455
                                    • FindClose.KERNEL32(000000FF,?,?,83C8296E,?), ref: 00BB84B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 3541575487-0
                                    • Opcode ID: f4ebdd7887521ffe74ad61decba85a780b3750d79e84c322d2b2d98fe0fa58da
                                    • Instruction ID: 57a02ad617383c1f74f5695731feeeae5a51aed8a5333978ce23066bbcf33bc9
                                    • Opcode Fuzzy Hash: f4ebdd7887521ffe74ad61decba85a780b3750d79e84c322d2b2d98fe0fa58da
                                    • Instruction Fuzzy Hash: F0818C70D05249DFCB24DF68C999BEEB7F8EF04304F5082D9E419A7291DBB46A84CB90
                                    Function 00AE89B0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000004), ref: 00AE89FE
                                    • GetWindowLongW.USER32(00000004,000000FC), ref: 00AE8A17
                                    • SetWindowLongW.USER32(00000004,000000FC,?), ref: 00AE8A29
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID:
                                    • API String ID: 847901565-0
                                    • Opcode ID: 58a0eeda2f0d39c00574a946a10998316b07283b534f99874be7e94549a7f263
                                    • Instruction ID: fb5df35bf765686d6696f64fe1143a97c85d8ff1a10330a57384be410d77124f
                                    • Opcode Fuzzy Hash: 58a0eeda2f0d39c00574a946a10998316b07283b534f99874be7e94549a7f263
                                    • Instruction Fuzzy Hash: BE418FB0600B46EFDB14CF65D948B5AFBA4FF04714F108269E428D7B90EBB6E914CB91
                                    Function 00AEC750 Relevance: 4.6, APIs: 3, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(00000003,000000FC), ref: 00AEC7A6
                                    • SetWindowLongW.USER32(00000003,000000FC,?), ref: 00AEC7B8
                                    • DeleteCriticalSection.KERNEL32(?,83C8296E,?,?,?,?,00C92AE4,000000FF), ref: 00AEC7E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: LongWindow$CriticalDeleteSection
                                    • String ID:
                                    • API String ID: 1978754570-0
                                    • Opcode ID: beae50e29aa87f397ccfaa59620e6b67b39d938d2ce06d4490aac81e2f6df5b4
                                    • Instruction ID: 307c8d5aa8a567e7e9b5cff03511e93dcfbbb590cb8b42ef67b7ddf48f559e84
                                    • Opcode Fuzzy Hash: beae50e29aa87f397ccfaa59620e6b67b39d938d2ce06d4490aac81e2f6df5b4
                                    • Instruction Fuzzy Hash: 3A31BC71904746BBCF20CF29DD44B5AFBB8BB05320F104229E814D7691E7B1E951DBA0
                                    Function 00C6BEA3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00C6BF9B
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00C6BFA5
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00C6BFB2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 3f0947b6dc65ea037e4f32ae0dbf4effca0a85f294796b3a7f98a9e010bcad57
                                    • Instruction ID: bdbfdfa717f4d3ad201fdc2cf4182d6bd058aff772bbe544d351934b9cd0b826
                                    • Opcode Fuzzy Hash: 3f0947b6dc65ea037e4f32ae0dbf4effca0a85f294796b3a7f98a9e010bcad57
                                    • Instruction Fuzzy Hash: 6831B375901219ABCB21DF68DD897CDBBB8EF08310F5041EAE41CA7261EB709F858F45
                                    Function 00AE1740 Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000FC), ref: 00AE1759
                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 00AE1767
                                    • DestroyWindow.USER32(?,?,?,?,?,?,80004003,?,00000001,?,?,00000001,?,?,00CF484C), ref: 00AE1793
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$Destroy
                                    • String ID:
                                    • API String ID: 3055081903-0
                                    • Opcode ID: ac4b1801610b73419e2d2e6153c49c5b3fb6b115733739d6a15119fc5f628de5
                                    • Instruction ID: 1b21719d143c499061a0d55afda8eb17b6b4cd94b74d609f0963560251b0a1ba
                                    • Opcode Fuzzy Hash: ac4b1801610b73419e2d2e6153c49c5b3fb6b115733739d6a15119fc5f628de5
                                    • Instruction Fuzzy Hash: FDF01D30005B119BDB605B29FD44B92BBE5BB08726B004A1DE4ABC26E4E770A8849B10
                                    Function 00C767E0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe00726064c4781be53a5f95343334d0c88b69ae3b43e3ddceb108eab983eed0
                                    • Instruction ID: bb680316329038ef414997598c313daaf576279a9500f61c2b407046d9e89d41
                                    • Opcode Fuzzy Hash: fe00726064c4781be53a5f95343334d0c88b69ae3b43e3ddceb108eab983eed0
                                    • Instruction Fuzzy Hash: 3DF13171E006199FDF14CF69C8806ADBBB1FF89314F158269D929E7381D730AE05CB94
                                    Function 00AF79D0 Relevance: 3.2, APIs: 2, Instructions: 241windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00AF7ABB
                                    • SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 00AF7CA5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: fba0ee1aeb9dd7e5ea2ff51fdeb1e59299e159257a1462da127462eade02e39e
                                    • Instruction ID: e6bd3eb49dd81bf715bc88c5f4eba4978c365f7c22f317e08b1e92ef588ac9a9
                                    • Opcode Fuzzy Hash: fba0ee1aeb9dd7e5ea2ff51fdeb1e59299e159257a1462da127462eade02e39e
                                    • Instruction Fuzzy Hash: 0AA1D371A0420AAFDB18DFA8C595BFDFBB5FF09304F148269E919DB281D730A941CB90
                                    Function 00BEF260 Relevance: 3.1, APIs: 2, Instructions: 140fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,83C8296E,00000000,?,00000000), ref: 00BEF34E
                                    • FindClose.KERNEL32(00000000,?,00000000), ref: 00BEF399
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 01948a01e916ded3795e113dede29bf11183cf415084d04c13e4572e8a6f3226
                                    • Instruction ID: 30b384c5b4bfac859ed9489a2d245e17516e865a852a9dc03a0d7862421be9a2
                                    • Opcode Fuzzy Hash: 01948a01e916ded3795e113dede29bf11183cf415084d04c13e4572e8a6f3226
                                    • Instruction Fuzzy Hash: CC51817190064ADFEB20DF69C984BAEB7F4FF44314F1041A9E916AB381D7749A04CB90
                                    Function 00BD3200 Relevance: 3.1, APIs: 2, Instructions: 105windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,83C8296E,?,00000000), ref: 00BD324B
                                    • GetLastError.KERNEL32(?,00000000), ref: 00BD3255
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 3eb7b5dd35f438fef9af88723041d112a0d12cc551b4e4a59ce5812bfb9a55ef
                                    • Instruction ID: d0866c691856ede5d03c29a31ad4412d2a2b2902f37ca3c4fd573681f0f6c72c
                                    • Opcode Fuzzy Hash: 3eb7b5dd35f438fef9af88723041d112a0d12cc551b4e4a59ce5812bfb9a55ef
                                    • Instruction Fuzzy Hash: 3631D171A00209AFDB10CF98DD05BAEFBF8EB04B14F10016EE519E73C1EBB59A008791
                                    Function 00B30110 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(00000000,000000FC), ref: 00B3017F
                                    • SetWindowLongW.USER32(00000000,000000FC,?), ref: 00B3018D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: 30402f02d1355f9379baaf5d7cebdcf99c2328e9e8d7be20af21f1977454f96d
                                    • Instruction ID: 3d25e04d2a239d5653c02e99b6f448fd83b919cb4c10eb496519a538eae719ea
                                    • Opcode Fuzzy Hash: 30402f02d1355f9379baaf5d7cebdcf99c2328e9e8d7be20af21f1977454f96d
                                    • Instruction Fuzzy Hash: F0318931900A05EFCB10DF69D944B8AFBF4FF05320F2082A9E424A77D0D771AA50CBA0
                                    Function 00BFF8A0 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,83C8296E,?,00000000,00000000,00000000,00CD45DD,000000FF), ref: 00BFF908
                                    • FindClose.KERNEL32(00000000,?,83C8296E,?,00000000,00000000,00000000,00CD45DD,000000FF), ref: 00BFF952
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 54509eca12cce8da9cd6f8d8cdbb86df50a79226b7f44235990af9037a52140d
                                    • Instruction ID: 24a4adf7d63ba32b2f46d4387ca662f446ab5610986a182d2d695f60a2007a9e
                                    • Opcode Fuzzy Hash: 54509eca12cce8da9cd6f8d8cdbb86df50a79226b7f44235990af9037a52140d
                                    • Instruction Fuzzy Hash: E521C471900549DFDB20DF68DC49BAEF7B8FF84324F508269E925972D0EB745A08CB94
                                    Function 0120A272 Relevance: 3.0, Strings: 2, Instructions: 536COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2182938245.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, Offset: 011FE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_11fc000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: St($Sx(
                                    • API String ID: 0-2108355778
                                    • Opcode ID: 0e45fa5b3d95d17c5984cc2be833cb610dc0e8f125eb94920daf59a65217f7b1
                                    • Instruction ID: 5efbe89868d87aa775affa2b37e9c108c764a121ee9ff1674db2e20fed070c3d
                                    • Opcode Fuzzy Hash: 0e45fa5b3d95d17c5984cc2be833cb610dc0e8f125eb94920daf59a65217f7b1
                                    • Instruction Fuzzy Hash: BE025EA685E3D15FDB138B7448A96913FB0AE23214B4F86DBC4C0CF5F3E658494AD722
                                    Function 0120A272 Relevance: 3.0, Strings: 2, Instructions: 536COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2182938245.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, Offset: 011FC000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_11fc000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: St($Sx(
                                    • API String ID: 0-2108355778
                                    • Opcode ID: 0e45fa5b3d95d17c5984cc2be833cb610dc0e8f125eb94920daf59a65217f7b1
                                    • Instruction ID: 5efbe89868d87aa775affa2b37e9c108c764a121ee9ff1674db2e20fed070c3d
                                    • Opcode Fuzzy Hash: 0e45fa5b3d95d17c5984cc2be833cb610dc0e8f125eb94920daf59a65217f7b1
                                    • Instruction Fuzzy Hash: BE025EA685E3D15FDB138B7448A96913FB0AE23214B4F86DBC4C0CF5F3E658494AD722
                                    Function 00C663AD Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimePreciseAsFileTime.KERNEL32(?,00C65DF9,?,?,?,?,00BE73F1), ref: 00C663C6
                                    • GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,00C65DF9,?,?,?,?,00BE73F1), ref: 00C663CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem$Precise
                                    • String ID:
                                    • API String ID: 743729956-0
                                    • Opcode ID: f994abcdcb1b59c09d745a4c93933b9d1f582be72acc8651e6133a757fd30b78
                                    • Instruction ID: abca9ced1b87b69da32f9a04eb12dd9e448d6bebcba5ecc123b83eef9498f812
                                    • Opcode Fuzzy Hash: f994abcdcb1b59c09d745a4c93933b9d1f582be72acc8651e6133a757fd30b78
                                    • Instruction Fuzzy Hash: 20D01236581638F78E122F99FC887ED7B68EA04B657044161FA099B330CBB15D519BE1
                                    Function 0120A298 Relevance: 3.0, Strings: 2, Instructions: 510COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2182938245.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, Offset: 011FE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_11fc000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: St($Sx(
                                    • API String ID: 0-2108355778
                                    • Opcode ID: d6b47e0124660366337b4bf6513d04fba448c1f4399b0d99b237881744d26c94
                                    • Instruction ID: e111b79a3b9cd73a9cf0aa74943508e8c91bc6a14492257b40a5111aec9b8dae
                                    • Opcode Fuzzy Hash: d6b47e0124660366337b4bf6513d04fba448c1f4399b0d99b237881744d26c94
                                    • Instruction Fuzzy Hash: 0DF13EA685E3C16FDB138B34486A6913FB0AE23214B4F85DBC4C0CF4B3E659494AD763
                                    Function 0120A298 Relevance: 3.0, Strings: 2, Instructions: 510COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2182938245.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, Offset: 011FC000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_11fc000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: St($Sx(
                                    • API String ID: 0-2108355778
                                    • Opcode ID: d6b47e0124660366337b4bf6513d04fba448c1f4399b0d99b237881744d26c94
                                    • Instruction ID: e111b79a3b9cd73a9cf0aa74943508e8c91bc6a14492257b40a5111aec9b8dae
                                    • Opcode Fuzzy Hash: d6b47e0124660366337b4bf6513d04fba448c1f4399b0d99b237881744d26c94
                                    • Instruction Fuzzy Hash: 0DF13EA685E3C16FDB138B34486A6913FB0AE23214B4F85DBC4C0CF4B3E659494AD763
                                    Function 00B05680 Relevance: 1.9, Strings: 1, Instructions: 614COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 2
                                    • API String ID: 0-450215437
                                    • Opcode ID: cca2992a18da95a79849e603246dd891b7e9ce157a77c8395cf7268db591841e
                                    • Instruction ID: 45395370d9190c7e18741c3ac0967f662a3fa9d1f4f23798070173716ccdf12c
                                    • Opcode Fuzzy Hash: cca2992a18da95a79849e603246dd891b7e9ce157a77c8395cf7268db591841e
                                    • Instruction Fuzzy Hash: 2D32D1B16047558BDB10DF25D89056BBBE6EF94308F00493EF4C7C7681E635E948DBA2
                                    Function 00C819A0 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C8199B,?,?,00000008,?,?,00C8CAFF,00000000), ref: 00C81BCD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 5e8c99a1dd73b2a815011b43be8df2bea2a06dbe83035479d381856eae2a1e55
                                    • Instruction ID: 21f93d5f7103263f850164747b2fb8df8d89887b27ea0e20bffc39c864b02863
                                    • Opcode Fuzzy Hash: 5e8c99a1dd73b2a815011b43be8df2bea2a06dbe83035479d381856eae2a1e55
                                    • Instruction Fuzzy Hash: 43B15271210608DFD718DF28C486B657BE4FF45369F298658E8E9CF2A1C335EA92CB44
                                    Function 00C853B6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EA06: GetLastError.KERNEL32(?,00000008,00C80623,?,00B0254D,00BD1180,?,00000008), ref: 00C7EA0A
                                      • Part of subcall function 00C7EA06: SetLastError.KERNEL32(00000000), ref: 00C7EAAC
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C8540A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: a7b82835394f491c227d5e7b1b880d42f288f69828ed86c1e7e6147dec4fcd0d
                                    • Instruction ID: a063302ad9d08c224348291663a1013e834bd81e383c914b9af5b55b10a13a25
                                    • Opcode Fuzzy Hash: a7b82835394f491c227d5e7b1b880d42f288f69828ed86c1e7e6147dec4fcd0d
                                    • Instruction Fuzzy Hash: DC21D772611606AFDB28EB65DC41BBA73A8EF85319F10407AFD05C6241EBB4DE80DF54
                                    Function 00C8503D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EA06: GetLastError.KERNEL32(?,00000008,00C80623,?,00B0254D,00BD1180,?,00000008), ref: 00C7EA0A
                                      • Part of subcall function 00C7EA06: SetLastError.KERNEL32(00000000), ref: 00C7EAAC
                                    • EnumSystemLocalesW.KERNEL32(00C85163,00000001,00000000,?,-00000050,?,00C85794,00000000,?,?,?,00000055,?), ref: 00C850AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: eea6725ad2b047d4d001f839c74aee6fd73af891f2336164466f70a0d8f82e13
                                    • Instruction ID: b562a9504f41e6ee7eaa4a78d7d571a5353424d67a62caf85fd94c398cb39fcf
                                    • Opcode Fuzzy Hash: eea6725ad2b047d4d001f839c74aee6fd73af891f2336164466f70a0d8f82e13
                                    • Instruction Fuzzy Hash: 3011293B6007015FDB18AF38C8956BABB91FF8035CB14442CE58647A40E3B16902DB80
                                    Function 00C855E5 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EA06: GetLastError.KERNEL32(?,00000008,00C80623,?,00B0254D,00BD1180,?,00000008), ref: 00C7EA0A
                                      • Part of subcall function 00C7EA06: SetLastError.KERNEL32(00000000), ref: 00C7EAAC
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00C8537F,00000000,00000000,?), ref: 00C85611
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: 33244191fd7af71f9ade86e21b799560d5c6928b9edce6d605f3158f72b05b01
                                    • Instruction ID: fbc3d2f4b085b95365e055dd9c39f08ee616a49e59fa759062ded4fc34441e80
                                    • Opcode Fuzzy Hash: 33244191fd7af71f9ade86e21b799560d5c6928b9edce6d605f3158f72b05b01
                                    • Instruction Fuzzy Hash: 36F0A936A00512BBDB246625C8497BF7B64EB4075CF554468FD16A3240FAB4FF41CB94
                                    Function 00C84F4B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EA06: GetLastError.KERNEL32(?,00000008,00C80623,?,00B0254D,00BD1180,?,00000008), ref: 00C7EA0A
                                      • Part of subcall function 00C7EA06: SetLastError.KERNEL32(00000000), ref: 00C7EAAC
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00C84F9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID: utf8
                                    • API String ID: 3736152602-905460609
                                    • Opcode ID: 4bd88e4b11a8ece200241839db66011d38786e6d7c8db44388271e6d41e668ec
                                    • Instruction ID: 18080a18d4a03545ccdb2d99072489637523ed41e98e85345069a4ef99e23878
                                    • Opcode Fuzzy Hash: 4bd88e4b11a8ece200241839db66011d38786e6d7c8db44388271e6d41e668ec
                                    • Instruction Fuzzy Hash: 1CF02833600105ABC724FB74DC49EBE33A8DB88319F004179F606D7241EA74AD059760
                                    Function 00C850D8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EA06: GetLastError.KERNEL32(?,00000008,00C80623,?,00B0254D,00BD1180,?,00000008), ref: 00C7EA0A
                                      • Part of subcall function 00C7EA06: SetLastError.KERNEL32(00000000), ref: 00C7EAAC
                                    • EnumSystemLocalesW.KERNEL32(00C853B6,00000001,00000000,?,-00000050,?,00C85758,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00C85122
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 9677c91cd2136fcadb562a4cfd923e5c2afa9faf3dc82f3c66027764f928740e
                                    • Instruction ID: f6b669a0ff2fa37a52ca845d9dcb9bb96d7ad14907128b6f1522b9448bab91c2
                                    • Opcode Fuzzy Hash: 9677c91cd2136fcadb562a4cfd923e5c2afa9faf3dc82f3c66027764f928740e
                                    • Instruction Fuzzy Hash: B0F0C2362007046FDB246F359C85B6A7B91EB8036CF05846CFA454B690D6F59D429B54
                                    Function 00C80DD9 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7BA2A: EnterCriticalSection.KERNEL32(?,?,00C7E6DE,?,00D6A938,00000008,00C7E8A2,?,?,?), ref: 00C7BA39
                                    • EnumSystemLocalesW.KERNEL32(00C80DCC,00000001,00D6AA38,0000000C,00C811FB,00000000), ref: 00C80E11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: f19a5e46866e170b0266dfdf7c3251196abc3ab59e15d57109f0c6cf823f5c34
                                    • Instruction ID: dbac1f6bcebea3a73ea24fb5bb1e19c65c2404abde07a708b68709bb417c8a13
                                    • Opcode Fuzzy Hash: f19a5e46866e170b0266dfdf7c3251196abc3ab59e15d57109f0c6cf823f5c34
                                    • Instruction Fuzzy Hash: 8CF03772A00700DFD710EF98E842B9D7BF0EB48724F10852AF519EB3E0EB7599059B61
                                    Function 00C84FF2 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C7EA06: GetLastError.KERNEL32(?,00000008,00C80623,?,00B0254D,00BD1180,?,00000008), ref: 00C7EA0A
                                      • Part of subcall function 00C7EA06: SetLastError.KERNEL32(00000000), ref: 00C7EAAC
                                    • EnumSystemLocalesW.KERNEL32(00C84F4B,00000001,00000000,?,?,00C857B6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00C85029
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: b51561c1cc61177725a6495653dc410b58a8b5e59d94280638f1491640c4a476
                                    • Instruction ID: a508f057ced2cadc71ff9ebe2501d1b44c834677ab4d6e7045551b40ab01ba8d
                                    • Opcode Fuzzy Hash: b51561c1cc61177725a6495653dc410b58a8b5e59d94280638f1491640c4a476
                                    • Instruction Fuzzy Hash: 44F0553630020557CB14AF75D88576A7F90EFC1768B064099EA098B240D6719943D794
                                    Function 00AF18D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00AEFFA7,?,?,?,?,?,?,?,?,00AEFE18,?,?), ref: 00AF1920
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: NtdllProc_Window
                                    • String ID:
                                    • API String ID: 4255912815-0
                                    • Opcode ID: 8c33e6dad289c3e984ff443e224f7198558e0a30c842968ab87fcb369bf552af
                                    • Instruction ID: 81b55feccdc1dbd9e0fda57726713a832665512dda06fd0a1c6c78aec42e7125
                                    • Opcode Fuzzy Hash: 8c33e6dad289c3e984ff443e224f7198558e0a30c842968ab87fcb369bf552af
                                    • Instruction Fuzzy Hash: ECF08230005145DEE7009B94D8A8A79B7AAFB44356F4845E5F198C5565C3BA8E81DF50
                                    Function 00C81356 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00C7B0A4,?,20001004,00000000,00000002,?,?,00C7A6A6), ref: 00C8138A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 7d31571784a16532ffff0f8da4b4d1009288c576ab0c219d07556ed4c49fe78e
                                    • Instruction ID: 878b08171c11e1e4ccf0df7d85c779c25e0377e6dc2b1e634ae0b9b21b219f53
                                    • Opcode Fuzzy Hash: 7d31571784a16532ffff0f8da4b4d1009288c576ab0c219d07556ed4c49fe78e
                                    • Instruction Fuzzy Hash: 01E04F3150025CBBCF127F61DC08BAE7E5EEF45750F044410FD196A131CB319922AB98
                                    Function 00B26FA0 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 1
                                    • API String ID: 0-2212294583
                                    • Opcode ID: d9ad529c412b7ef0981b7181213bc4885b5a6051220ad23cce3a250a415bfad7
                                    • Instruction ID: a665fb4a263e444c1efd95eed9717c7dd80ab1a7f5db24b8e2b8523bd14308a1
                                    • Opcode Fuzzy Hash: d9ad529c412b7ef0981b7181213bc4885b5a6051220ad23cce3a250a415bfad7
                                    • Instruction Fuzzy Hash: A7D123B0501789EFEB45CF64C15879ABFF4BF05308F14829DD4599B292C3BAA608CB92
                                    Function 00C6F7DC Relevance: .4, Instructions: 388COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 69604e5c04290cf9a318f73f9ea52eee6fbefaa47c871c17ff5b531e7c7dd3ed
                                    • Instruction ID: 755ce166f50fd6a744487d0a0852eda921e333e53f621d6a5b0678f300cf2f58
                                    • Opcode Fuzzy Hash: 69604e5c04290cf9a318f73f9ea52eee6fbefaa47c871c17ff5b531e7c7dd3ed
                                    • Instruction Fuzzy Hash: C8E18D70A006058FCB34CF68E5D0A6EB7F1FF49314B24866DD4AA9B2A1D730AE47DB51
                                    Function 00C84801 Relevance: .3, Instructions: 327COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                    • String ID:
                                    • API String ID: 3471368781-0
                                    • Opcode ID: e73b26ad3eea881ab8bffcb891de12b25bfed6f89a9f46d2db830eddb5959d5f
                                    • Instruction ID: ee80079bfa5286ced6d6f7c0a808d244f555ed7c405e8c9b90d882f41b5eed85
                                    • Opcode Fuzzy Hash: e73b26ad3eea881ab8bffcb891de12b25bfed6f89a9f46d2db830eddb5959d5f
                                    • Instruction Fuzzy Hash: 08B1F5355007069BDB3CEF24CC82BBBB3E9EB5430CF54452DE997C6680EA75AA41DB18
                                    Function 00ADF7D0 Relevance: .1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8544c368d8a71f234933cdae99bc6904cb4cb7f3c44e596aef06acfe4f112f14
                                    • Instruction ID: 967e374dd87b697def5006cf4cdf8f833cd288ab55352dac717dde4c513dad96
                                    • Opcode Fuzzy Hash: 8544c368d8a71f234933cdae99bc6904cb4cb7f3c44e596aef06acfe4f112f14
                                    • Instruction Fuzzy Hash: 9371E7B1801B48CFE761CF78C94578ABBF0BB05324F148A5DD4A99B3D1D3B9A648CB91
                                    Function 00B78100 Relevance: .1, Instructions: 85COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 729d6ad66bd7f17031d7353e7861ecd57d12357906734aa8edc56208de68282c
                                    • Instruction ID: d9aa52127624cc992ec0760310d39dc7a0db7fbf4c09913df1b7cebd8f91dbde
                                    • Opcode Fuzzy Hash: 729d6ad66bd7f17031d7353e7861ecd57d12357906734aa8edc56208de68282c
                                    • Instruction Fuzzy Hash: 7741F2B0901B49EED704CF69C50878AFBF0BB19318F20869DC4589B781D3BAA618CFD5
                                    Function 00AE8840 Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c3db217cbc8ce4f02ccb983ae455f0745693a463fb10fb523a5f69a273fa182b
                                    • Instruction ID: 1a9455032270bcfb11c797570916d492fddb5cfdc0e810aa64027c5a5a4f885a
                                    • Opcode Fuzzy Hash: c3db217cbc8ce4f02ccb983ae455f0745693a463fb10fb523a5f69a273fa182b
                                    • Instruction Fuzzy Hash: 5531CFB0405B84CEE721CF29C558347BFF0BB15718F108A5DD5A68BB91D3BAA648CB91
                                    Function 00AE2330 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4a868d2921c042d601f5caf14fd79845d1f9c73b6ec62ff362a2f5cf5bc30796
                                    • Instruction ID: ab65291438bec622ca4605a0884e0ab26e2bd376a50cfe01aaa1d3c7e057da7e
                                    • Opcode Fuzzy Hash: 4a868d2921c042d601f5caf14fd79845d1f9c73b6ec62ff362a2f5cf5bc30796
                                    • Instruction Fuzzy Hash: E8216AB1804B48CFDB10CF58C90479ABBF4FB09314F1186AED4559B791E3B9AA44CF91
                                    Function 00AE1D70 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 58be89f311ada8f38110a812a2ddbc92d92d958121fa276ff08300cc362633de
                                    • Instruction ID: e6d7313971a1c4fe8662f06059787b45388ea850257bdc9c4590265ed14220b2
                                    • Opcode Fuzzy Hash: 58be89f311ada8f38110a812a2ddbc92d92d958121fa276ff08300cc362633de
                                    • Instruction Fuzzy Hash: BB215BB1804748CFD710CF58D90478ABBF4FB09314F1186AED4559B791E3B9AA44CF91
                                    Function 00AFD760 Relevance: .0, Instructions: 37COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 560db674e667e583743452d0169d4546ddd76efd9a51e78208ba347326c72318
                                    • Instruction ID: b60212ae3fc190bc5776b63486cea962cbf42759afb88e8913be221cbbcc87f2
                                    • Opcode Fuzzy Hash: 560db674e667e583743452d0169d4546ddd76efd9a51e78208ba347326c72318
                                    • Instruction Fuzzy Hash: 961100B1905648DFCB40CF58D544749BBF4FB08328F2086AEE818DB381D3769A06CF90
                                    Function 00C88A0E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                    • Instruction ID: d9dc89eb2eb2ba69d361b234d594ec8b8d4f9466561d96f6073e65ab04c0688e
                                    • Opcode Fuzzy Hash: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                    • Instruction Fuzzy Hash: 27E08C32911278EBCB29EB98CA0498AF3ECEB44B88B5500AAF601D3240C670DE00E7D4
                                    Function 00C7D840 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 196375293714f82e9c99ca5bb7d726515ed7690d3670f28b5cdcddecd6e68249
                                    • Instruction ID: f537a37967da9feb0c8d55073daeaebde3697ebdf47dd739d793732b1b84cb7d
                                    • Opcode Fuzzy Hash: 196375293714f82e9c99ca5bb7d726515ed7690d3670f28b5cdcddecd6e68249
                                    • Instruction Fuzzy Hash: 1EC08C3441094087CF29A91082713B43367BB9178AF80048DC42F0BAC3C95E9D86F742
                                    Function 00BBB0F0 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 238libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • GetModuleHandleW.KERNEL32(kernel32,83C8296E,?,?,00000000), ref: 00BBB1F3
                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00BBB23B
                                    • __Init_thread_footer.LIBCMT ref: 00BBB24E
                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00BBB296
                                    • __Init_thread_footer.LIBCMT ref: 00BBB2A9
                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BBB2F1
                                    • __Init_thread_footer.LIBCMT ref: 00BBB304
                                      • Part of subcall function 00B92620: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00B92661
                                      • Part of subcall function 00B92620: _wcschr.LIBVCRUNTIME ref: 00B9271F
                                    Strings
                                    • SetDefaultDllDirectories, xrefs: 00BBB2EB
                                    • kernel32, xrefs: 00BBB1EE
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00BBB180, 00BBB18F
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00BBB187
                                    • SetSearchPathMode, xrefs: 00BBB235
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00BBB167, 00BBB16F
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00BBB162
                                    • SetDllDirectory, xrefs: 00BBB290
                                    • kernel32.dll, xrefs: 00BBB44D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$AddressProc$DirectoryHandleHeapModuleProcessSystem_wcschr
                                    • String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
                                    • API String ID: 1258094593-3455668873
                                    • Opcode ID: 163aaf17fcf0ed2ad324fad1477c0a13a0622c17d3954ca5588b9008e6184cda
                                    • Instruction ID: 33f3baaa419eee23577ed6e57f01ebbef59cfc74d78bb3c8948fdeb4a1fbbb0a
                                    • Opcode Fuzzy Hash: 163aaf17fcf0ed2ad324fad1477c0a13a0622c17d3954ca5588b9008e6184cda
                                    • Instruction Fuzzy Hash: 44A148B09043189FDB20CF54D849B9EBBB4EB11318F9046A9E85CAB3C1DBB15948DFB1
                                    Function 00BDAD10 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 212COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,000001F6), ref: 00BDAD5E
                                    • GetDlgItem.USER32(?,000001F8), ref: 00BDAD6B
                                    • GetDlgItem.USER32(?,000001F7), ref: 00BDADB8
                                    • SetWindowTextW.USER32(00000000,00000000), ref: 00BDADC7
                                    • ShowWindow.USER32(?,00000005), ref: 00BDADE7
                                      • Part of subcall function 00BDA210: GetWindowLongW.USER32(?,000000F0), ref: 00BDA24F
                                      • Part of subcall function 00BDA210: GetWindowLongW.USER32(?,000000F0), ref: 00BDA260
                                      • Part of subcall function 00BDA210: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BDA272
                                      • Part of subcall function 00BDA210: GetWindowLongW.USER32(?,000000EC), ref: 00BDA285
                                      • Part of subcall function 00BDA210: SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BDA294
                                      • Part of subcall function 00BDA210: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00BDA2A8
                                      • Part of subcall function 00BDA210: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BDA2B7
                                    • GetDlgItem.USER32(?,000001F7), ref: 00BDAE06
                                    • SetWindowTextW.USER32(00000000,00000000), ref: 00BDAE15
                                    • ShowWindow.USER32(?,00000000), ref: 00BDAE35
                                    • ShowWindow.USER32(?,00000000), ref: 00BDAE3C
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 00BDAE85
                                    • GetDlgItem.USER32(00000000,00000000), ref: 00BDAEB9
                                    • IsWindow.USER32(00000000), ref: 00BDAEC3
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,00000616), ref: 00BDAF10
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$ItemLong$Show$MessageSendText
                                    • String ID: Details <<$Details >>
                                    • API String ID: 1573988680-3763984547
                                    • Opcode ID: 38d671c078ef95b6c0bea3f6e45c20c400bd484960f650f9775a956e27f1a5ce
                                    • Instruction ID: 7e99aa367f5155bfb257d75cbe14ca59ea6fbb1bb51da329702b80d8a897c2f1
                                    • Opcode Fuzzy Hash: 38d671c078ef95b6c0bea3f6e45c20c400bd484960f650f9775a956e27f1a5ce
                                    • Instruction Fuzzy Hash: 4271A1B1900608AFDB24DFA8DC45BAEFBF1EF44704F14466EF405A7291E771A881CB61
                                    Function 00BDE980 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                    • OutputDebugStringW.KERNEL32(?,83C8296E,?,?,?,00CCD4D5,000000FF,?,00C1127F,?,?,?,00000000), ref: 00BDEB18
                                    • GetActiveWindow.USER32 ref: 00BDEA7A
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    Strings
                                    • "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00BDFB1F
                                    • TRANSFORMS=:%s.mst MSINEWINSTANCE=1 , xrefs: 00BDF750
                                    • .msi, xrefs: 00BDF587, 00BDFA80
                                    • TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1, xrefs: 00BDF6F7
                                    • majorupgrade-content.mst, xrefs: 00BDF596, 00BDFA8F
                                    • "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00BDF5F2
                                    • %s , xrefs: 00BDF88C, 00BDFBC1
                                    • AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00BDF9D5
                                    • REINSTALL=ALL REINSTALLMODE=vomus , xrefs: 00BDFBD3
                                    • TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 , xrefs: 00BDF73F
                                    • MSINEWINSTANCE=1 , xrefs: 00BDF726
                                    • "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00BDF658
                                    • .mst, xrefs: 00BDF5D7, 00BDF63E, 00BDFAFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$ActiveDebugHeapOutputProcessStringWindow
                                    • String ID: "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ %s $ AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ MSINEWINSTANCE=1 $ REINSTALL=ALL REINSTALLMODE=vomus $ TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1$ TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 $ TRANSFORMS=:%s.mst MSINEWINSTANCE=1 $.msi$.mst$majorupgrade-content.mst
                                    • API String ID: 758407959-743168453
                                    • Opcode ID: a85bd24e62f6e760f59d76f640ad2c12ed91e42cca7a25f2ff7f345088712ea2
                                    • Instruction ID: 53327ccd3d53e71f996f8ace130f0d5d62e0d34dce1fb2882b085fc5c8a154e4
                                    • Opcode Fuzzy Hash: a85bd24e62f6e760f59d76f640ad2c12ed91e42cca7a25f2ff7f345088712ea2
                                    • Instruction Fuzzy Hash: 4151BF75A006459FDB14DB6CC8457AEBBF5EF45320F1482AAE816EB391EB309D00CBA1
                                    Function 00AE17A0 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 361stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ParentWindowlstrcmp
                                    • String ID: #32770
                                    • API String ID: 3676684576-463685578
                                    • Opcode ID: 63dbf6078b6d77668b76a5bccb3e2401307aa2be937b173da79cb6983473015e
                                    • Instruction ID: 1b7aaa9614769f5d62720fff80ff237a401958dc09d2a32c236bdd72e48bfcf5
                                    • Opcode Fuzzy Hash: 63dbf6078b6d77668b76a5bccb3e2401307aa2be937b173da79cb6983473015e
                                    • Instruction Fuzzy Hash: D4E19E70A01269AFDB14CFA9C884FEDBBB5FF49714F148168F805AB290E774AD44CB61
                                    Function 00B0DAD0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 246libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,83C8296E,?,?,00000000,?,?,?,?,?,?,83C8296E,00C99E15,000000FF), ref: 00B0DB3D
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00B0DB43
                                    • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,83C8296E,00C99E15,000000FF,?,00B245FA,00CFC86C,83C8296E,83C8296E), ref: 00B0DB73
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00B0DB79
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                    • API String ID: 2574300362-2454113998
                                    • Opcode ID: 473526e35acd55fc2ee2d3ebfc21941722c9d04491eb41f21579b1efce388e85
                                    • Instruction ID: 7c21a42bdc04230f086ba00076a020b4c20f647ca0a7f888fa70b5884dc2fc82
                                    • Opcode Fuzzy Hash: 473526e35acd55fc2ee2d3ebfc21941722c9d04491eb41f21579b1efce388e85
                                    • Instruction Fuzzy Hash: E5A139B1A00209EFDB25DFA8C895BEDBBF4EF48710F144169E511A72D0EB709A48CB61
                                    Function 00B03790 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 222libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,83C8296E,?,?,?,?,?,?,?,83C8296E,00C974D5,000000FF,?,00B03AAA,00CF84E0), ref: 00B037F7
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00B037FD
                                    • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,83C8296E,00C974D5,000000FF,?,00B03AAA,00CF84E0,83C8296E,83C8296E), ref: 00B0382E
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00B03834
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                    • API String ID: 2574300362-2454113998
                                    • Opcode ID: b8804b9811a22e801e5c699c7da8548ea37b2765c3948124f32f03acc29a4d5d
                                    • Instruction ID: 2cfe8aea0e55bfc2597ec24397521515fa965c1ac5aa53e890ed6729ef917f07
                                    • Opcode Fuzzy Hash: b8804b9811a22e801e5c699c7da8548ea37b2765c3948124f32f03acc29a4d5d
                                    • Instruction Fuzzy Hash: BD8161B1A00248EFDB15DFA8C999BEDBBF8EF08710F1441A9E511A72D1DB709A44CB61
                                    Function 00BFFE90 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 413registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,83C8296E,?,?), ref: 00BFFEF3
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 00C00089
                                    • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 00C000E5
                                    • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?), ref: 00C00135
                                    • RegCloseKey.ADVAPI32(?), ref: 00C00175
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: OpenQueryValue$Close
                                    • String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
                                    • API String ID: 2529929805-1079072530
                                    • Opcode ID: fd28820ac723b047fda8757eb32327a39fff395c2ad9c0b691310747fcdf5cd1
                                    • Instruction ID: ccf5b62690067a437371fb2085fe1376150d40a3f0f8295297b6c7f511ce9184
                                    • Opcode Fuzzy Hash: fd28820ac723b047fda8757eb32327a39fff395c2ad9c0b691310747fcdf5cd1
                                    • Instruction Fuzzy Hash: 7F028F709056699BDB20DF68CC8CBAEB7B4EF44304F2142D9E819A7291DB75AF84CF50
                                    Function 00BD91D0 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 286threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(00D7711C,83C8296E,?,?,00000000), ref: 00BD92F3
                                    • EnterCriticalSection.KERNEL32(?,83C8296E,?,?,00000000,?,?,?,?,?,00000000,00CCC417,000000FF), ref: 00BD9305
                                    • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00CCC417,000000FF), ref: 00BD9312
                                    • GetCurrentThread.KERNEL32 ref: 00BD931D
                                    • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,00CF438C,00000000), ref: 00BD94FE
                                    • LeaveCriticalSection.KERNEL32(?,00000000), ref: 00BD95DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
                                    • String ID: *** Stack Trace (x86) ***$ v$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
                                    • API String ID: 3051236879-1086252000
                                    • Opcode ID: 179796f0390417fe1e79094d7e7d3f8dabfc3851f6a644296a471ece6669d882
                                    • Instruction ID: c2f9550733cb51fa9dae44e6919a0228fb7e8afabe51d58d679b37cd2876ee29
                                    • Opcode Fuzzy Hash: 179796f0390417fe1e79094d7e7d3f8dabfc3851f6a644296a471ece6669d882
                                    • Instruction Fuzzy Hash: 83C16A719043889FDB25DF64CD45BEEBBB8FB04708F404569E9099B381EBB55B08CBA1
                                    Function 00AFCBB0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,83C8296E), ref: 00AFCC38
                                      • Part of subcall function 00AE0E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00AE0E96
                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00AFCD3B
                                    • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00AFCD4F
                                    • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00AFCD64
                                    • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00AFCD79
                                    • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00AFCD90
                                    • GetWindowRect.USER32(?,?), ref: 00AFCDC2
                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00AFCE24
                                    • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00AFCE34
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateLongRect
                                    • String ID: ,$tooltips_class32
                                    • API String ID: 1954517558-3856767331
                                    • Opcode ID: b927ce88379661a917b8ad9936fbbd4b31de28b38f51236de9f39a84566aedc0
                                    • Instruction ID: 62c3ead7e5d40eb7ad6a49b942e3c6e4a5740239f75cd21ac1d16119de60caf7
                                    • Opcode Fuzzy Hash: b927ce88379661a917b8ad9936fbbd4b31de28b38f51236de9f39a84566aedc0
                                    • Instruction Fuzzy Hash: ED914071A00708AFDB14CFA5DD95FAEBBF9FB08304F10452AF516EA294D774A944CB60
                                    Function 00BD9280 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 223threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(00D7711C,83C8296E,?,?,00000000), ref: 00BD92F3
                                    • EnterCriticalSection.KERNEL32(?,83C8296E,?,?,00000000,?,?,?,?,?,00000000,00CCC417,000000FF), ref: 00BD9305
                                    • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00CCC417,000000FF), ref: 00BD9312
                                    • GetCurrentThread.KERNEL32 ref: 00BD931D
                                    • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,00CF438C,00000000), ref: 00BD94FE
                                    • LeaveCriticalSection.KERNEL32(?,00000000), ref: 00BD95DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
                                    • String ID: *** Stack Trace (x86) ***$ v$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
                                    • API String ID: 3051236879-1086252000
                                    • Opcode ID: 2c3721639911e5f40e8dbefb07bb81d55f3d9598b686e25b89ffa90868f788ce
                                    • Instruction ID: dfcf955858277754ab51787055020e40f24f101615b9b8fb34ed5233b2733b8d
                                    • Opcode Fuzzy Hash: 2c3721639911e5f40e8dbefb07bb81d55f3d9598b686e25b89ffa90868f788ce
                                    • Instruction Fuzzy Hash: C9A169719043889FDB25DFA4CD55BEE7BB8FF04308F404169E909AB291EB755B08CB61
                                    Function 00BDAB80 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 132windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BD3320: LoadLibraryW.KERNEL32(ComCtl32.dll,83C8296E,00000000,?,00000000), ref: 00BD335E
                                      • Part of subcall function 00BD3320: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00BD3381
                                      • Part of subcall function 00BD3320: FreeLibrary.KERNEL32(00000000), ref: 00BD33FF
                                    • GetDlgItem.USER32(?,000001F4), ref: 00BDABC1
                                    • SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00BDABD2
                                    • MulDiv.KERNEL32(00000009,00000000), ref: 00BDABEA
                                    • GetDlgItem.USER32(?,000001F6), ref: 00BDAC24
                                    • IsWindow.USER32(00000000), ref: 00BDAC2D
                                    • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00BDAC44
                                    • GetDlgItem.USER32(?,000001F8), ref: 00BDAC4E
                                    • GetWindowRect.USER32(?,?), ref: 00BDAC5F
                                    • GetWindowRect.USER32(?,?), ref: 00BDAC72
                                    • GetWindowRect.USER32(00000000,?), ref: 00BDAC82
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$ItemRect$LibraryMessageSend$AddressFreeLoadProc
                                    • String ID: Courier New
                                    • API String ID: 1717253393-2572734833
                                    • Opcode ID: 30974f882cf202c19b42594e55718757710978c4fd96bf0bf5c1d0c126174e3e
                                    • Instruction ID: e8f77ad5a9451838ea726778eabb0e3935222fb907208bddaa4a3a98a8daf25d
                                    • Opcode Fuzzy Hash: 30974f882cf202c19b42594e55718757710978c4fd96bf0bf5c1d0c126174e3e
                                    • Instruction Fuzzy Hash: 024187717843047BE7149F659C46FAE77E9EF48B04F01451AFA09BA2D1EAF0A8808B55
                                    Function 00BD62D0 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 492COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00BD646E
                                    • __Init_thread_footer.LIBCMT ref: 00BD65C7
                                    • GetStdHandle.KERNEL32(000000F5,?,83C8296E,?,?), ref: 00BD664F
                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00BD6656
                                    • GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00BD666A
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00BD6671
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                    • GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,00000000,00000000,00CF68B8,00000002,?,?), ref: 00BD6700
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00BD6707
                                    • IsWindow.USER32(00000000), ref: 00BD6920
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
                                    • String ID: Error
                                    • API String ID: 2811146417-2619118453
                                    • Opcode ID: 4d213cfac79935d2c1205dfdbad06d6b4cce13c2c30ffedea821ea677b0fd452
                                    • Instruction ID: 07143fa59e6d90d6f3c5b478f11309b7b3d8bd6361303c57191f76a068adc80d
                                    • Opcode Fuzzy Hash: 4d213cfac79935d2c1205dfdbad06d6b4cce13c2c30ffedea821ea677b0fd452
                                    • Instruction Fuzzy Hash: 8C225970D00358DFDB14DFA4C945B9EBBB4EF05314F108699E419AB390EB75AA88CF61
                                    Function 00ADF600 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(00D77250,83C8296E,00000000,?,?,?,?,?,?,00ADEE60,00C907AD,000000FF), ref: 00ADF63D
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00ADF6B8
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00ADF75E
                                    • LeaveCriticalSection.KERNEL32(00D77250), ref: 00ADF7B3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalCursorLoadSection$EnterLeave
                                    • String ID: v$0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
                                    • API String ID: 3727441302-556780245
                                    • Opcode ID: 2c832c98ebcb5bae722c356a9082056d7fb304cabde7d24959e6a64eaaa84de7
                                    • Instruction ID: fc4bf2e0396a29085aa3c30ae55d649cfa1c210996c713461414b20d4c1f0d85
                                    • Opcode Fuzzy Hash: 2c832c98ebcb5bae722c356a9082056d7fb304cabde7d24959e6a64eaaa84de7
                                    • Instruction Fuzzy Hash: 195113B0C01359AFDB51DFA4E848BDEBFB8FB08714F10412AE409E7390E7B55A458BA1
                                    Function 00B35A70 Relevance: 16.7, APIs: 11, Instructions: 170COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00B35AB7
                                    • GetParent.USER32 ref: 00B35ACD
                                    • GetWindowRect.USER32(?,?), ref: 00B35AD8
                                    • GetParent.USER32(?), ref: 00B35AE0
                                    • GetWindow.USER32(?,00000004), ref: 00B35B12
                                    • GetWindowRect.USER32(?,?), ref: 00B35B20
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00B35B2D
                                    • MonitorFromWindow.USER32(?,00000002), ref: 00B35B45
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00B35B5F
                                    • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 00B35C0D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$LongMonitorParentRect$FromInfo
                                    • String ID:
                                    • API String ID: 1820395375-0
                                    • Opcode ID: 8aba181ca23abba42fca8976698f45cd40081b9def5ccc984fdfc65f858ba6d7
                                    • Instruction ID: d1e3a5c5be23f3bfb02bea5f99fc266c8bd9c4201de14ef0c1205c319983837d
                                    • Opcode Fuzzy Hash: 8aba181ca23abba42fca8976698f45cd40081b9def5ccc984fdfc65f858ba6d7
                                    • Instruction Fuzzy Hash: 67517272D006199FDB20CFA8DD45ADEBBB9FB48714F644269E815F3294EB30AD44CB60
                                    Function 00BDA210 Relevance: 16.6, APIs: 11, Instructions: 150windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00BDA24F
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00BDA260
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BDA272
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00BDA285
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BDA294
                                    • SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00BDA2A8
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BDA2B7
                                    • GetWindowRect.USER32(?,?), ref: 00BDA2F6
                                    • GetDlgItem.USER32(?,?), ref: 00BDA332
                                    • IsWindow.USER32(00000000), ref: 00BDA33D
                                    • GetWindowRect.USER32(?,?), ref: 00BDA358
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$MessageRectSend$Item
                                    • String ID:
                                    • API String ID: 661679956-0
                                    • Opcode ID: 3e37882c10aa35c85e1f837dd36ec2a18a4252ddbd8d80263586730be02c8c89
                                    • Instruction ID: cfad7520ff7deb7898ad782ec92bc9a652f2a87b72a219f946762515afecc5e2
                                    • Opcode Fuzzy Hash: 3e37882c10aa35c85e1f837dd36ec2a18a4252ddbd8d80263586730be02c8c89
                                    • Instruction Fuzzy Hash: 4A418D715047029FD720DF69EC84B2BF7E5EF98714F108A1EF599D2291EB70E8848B62
                                    Function 00C23930 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 282COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Enabled$Progress$PropertyValue$Text$TimeRemaining$Visible
                                    • API String ID: 0-2691827946
                                    • Opcode ID: 6275331d437068081de1505480df6a60aed9c62da81f63acca685781eb2fa147
                                    • Instruction ID: 954932cc01c956dcaeb5c5023191d0fe6517916f6d26cf5349929efdb7cafc68
                                    • Opcode Fuzzy Hash: 6275331d437068081de1505480df6a60aed9c62da81f63acca685781eb2fa147
                                    • Instruction Fuzzy Hash: CAB19DB1A04784DFDB14DF48E94575EBBA1FB45320F10826EE8299B7D0D7B69B00CBA1
                                    Function 00BFE920 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: _wcschr
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKLM
                                    • API String ID: 2691759472-1956487666
                                    • Opcode ID: 048592ff8c7c5cab591e060ca6b11201192661f693fec6134557697cd7e6315b
                                    • Instruction ID: 8ce2d058f575d18d148ef00936808db7e329989fac88d88a72ab297335b28721
                                    • Opcode Fuzzy Hash: 048592ff8c7c5cab591e060ca6b11201192661f693fec6134557697cd7e6315b
                                    • Instruction Fuzzy Hash: DE41FA7294020AABDF21DA54CC01B7AB7E4FB10311F184675AD25E32F1E631DD18CA61
                                    Function 00B02BD0 Relevance: 15.4, APIs: 10, Instructions: 404memorysynchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • CreateThread.KERNEL32(00000000,00000000,00B02D20,00CF8468,00000000,?), ref: 00B02C9A
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B02CB3
                                    • CloseHandle.KERNEL32(00000000), ref: 00B02CC9
                                    • CoInitializeEx.COMBASE(00000000,00000000), ref: 00B02D79
                                    • GetProcessHeap.KERNEL32(?,00000000), ref: 00B02E7B
                                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 00B02E81
                                    • GetProcessHeap.KERNEL32(?,00000000), ref: 00B02F00
                                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 00B02F06
                                    • CoUninitialize.COMBASE ref: 00B0305A
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00B030DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Heap$Process$FreeInit_thread_footer$CloseConcurrency::cancel_current_taskCreateHandleInitializeObjectSingleThreadUninitializeWait
                                    • String ID:
                                    • API String ID: 1779960141-0
                                    • Opcode ID: fe78b7f05843b034cb42074384781d8115080f9fcf9fc849bbb35af8e5ab3dd9
                                    • Instruction ID: 5586cfa29ce896b59a94e1f999b68006a039c7e47f90298fe235dc135c9119cf
                                    • Opcode Fuzzy Hash: fe78b7f05843b034cb42074384781d8115080f9fcf9fc849bbb35af8e5ab3dd9
                                    • Instruction Fuzzy Hash: C5F16FB0D01249DFDF14CFA4C989BAEBBF8FF44704F248199E405AB291D7749A48CBA1
                                    Function 00AF3480 Relevance: 15.3, APIs: 10, Instructions: 339memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantClear.OLEAUT32(?), ref: 00AF34DA
                                    • VariantClear.OLEAUT32(?), ref: 00AF350C
                                    • VariantClear.OLEAUT32(?), ref: 00AF3606
                                    • VariantClear.OLEAUT32(?), ref: 00AF3635
                                    • SysFreeString.OLEAUT32(00000000), ref: 00AF363C
                                    • SysAllocString.OLEAUT32(00000000), ref: 00AF3683
                                    • VariantClear.OLEAUT32(?), ref: 00AF370A
                                    • VariantClear.OLEAUT32(?), ref: 00AF373C
                                    • VariantClear.OLEAUT32(?), ref: 00AF3817
                                    • VariantClear.OLEAUT32(?), ref: 00AF3846
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ClearVariant$String$AllocFree
                                    • String ID:
                                    • API String ID: 1305860026-0
                                    • Opcode ID: eb6bc39639378b57171958b94ad6a28e1b1839f146dbcda0782694668423b6af
                                    • Instruction ID: f88fc672f9c42123dee4b11638df9fbd8eb7821b984b3eb5fa219b67c4c1e445
                                    • Opcode Fuzzy Hash: eb6bc39639378b57171958b94ad6a28e1b1839f146dbcda0782694668423b6af
                                    • Instruction Fuzzy Hash: 0DC17971A00648DFCF10DFA8C944BEEBBB4EF48710F148269E505E7391E778AA45CBA5
                                    Function 00BF4B50 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDefaultLangID.KERNEL32 ref: 00BF4B8C
                                    • GetUserDefaultLangID.KERNEL32 ref: 00BF4B99
                                    • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00BF4BAB
                                    • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00BF4BBF
                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00BF4BD4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AddressDefaultLangProc$LibraryLoadSystemUser
                                    • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
                                    • API String ID: 667524283-3528650308
                                    • Opcode ID: 446a9ff595cd20e137b45fe793607fda7fe037916e84a71938921825f9ba7670
                                    • Instruction ID: 315ae9df5d4075435593affa6b6630094dca30207a5771ce45739a9819a40b85
                                    • Opcode Fuzzy Hash: 446a9ff595cd20e137b45fe793607fda7fe037916e84a71938921825f9ba7670
                                    • Instruction Fuzzy Hash: 5D41AE706053459FCB50EF28A89077BB7E2EFD8311F81296EE985C7240E735D949CB52
                                    Function 00C6A990 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 00C6A9C7
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00C6A9CF
                                    • _ValidateLocalCookies.LIBCMT ref: 00C6AA58
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00C6AA83
                                    • _ValidateLocalCookies.LIBCMT ref: 00C6AAD8
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00C6AAEE
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00C6AB03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                    • String ID: csm
                                    • API String ID: 1385549066-1018135373
                                    • Opcode ID: 9bb8e201b6e6767bbfa871ab4e660ec430c313628bd0abe782b61585eb23d164
                                    • Instruction ID: 8c7a1d779d2f9813549d032897b2b1343927252890d776f208ec24663f13f28a
                                    • Opcode Fuzzy Hash: 9bb8e201b6e6767bbfa871ab4e660ec430c313628bd0abe782b61585eb23d164
                                    • Instruction Fuzzy Hash: A441C734900208EFCF30DFA8C8C1A9E7BA5AF45314F148056E825AB353D7359E55EF92
                                    Function 00BDA8E0 Relevance: 13.7, APIs: 9, Instructions: 202COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EB), ref: 00BDA914
                                    • EndDialog.USER32(?,00000000), ref: 00BDA9D2
                                      • Part of subcall function 00BDA3B0: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00BDA3E2
                                      • Part of subcall function 00BDA3B0: GetWindowLongW.USER32(?,000000F0), ref: 00BDA3E8
                                      • Part of subcall function 00BDA3B0: GetDlgItem.USER32(?,?), ref: 00BDA45A
                                      • Part of subcall function 00BDA3B0: GetWindowRect.USER32(00000000,?), ref: 00BDA472
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$DialogItemMessageRectSend
                                    • String ID:
                                    • API String ID: 188208873-0
                                    • Opcode ID: 2a139e36d3958cdceb326450904d21c5ff10b3b464a03b8ed3ad17de5d1f1f69
                                    • Instruction ID: fd6398d3f1d4d505806a8c86be819068e1ee497b1e1bd2f6d3089c5f0677fa42
                                    • Opcode Fuzzy Hash: 2a139e36d3958cdceb326450904d21c5ff10b3b464a03b8ed3ad17de5d1f1f69
                                    • Instruction Fuzzy Hash: 5A71AE316006059BDB24CF68CC88BAEFBF5EB09720F14066AE516E77D0E7749981CB62
                                    Function 00B2A6C0 Relevance: 13.6, APIs: 9, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00B2A6E0
                                    • SetWindowLongW.USER32(?,000000F0,00C80000), ref: 00B2A70E
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00B2A53C), ref: 00B2A71F
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00B2A753
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B2A77F
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00B2A53C), ref: 00B2A796
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00B2A7BA
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B2A7D2
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00B2A53C), ref: 00B2A7E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID:
                                    • API String ID: 847901565-0
                                    • Opcode ID: 67d60e91d2c9ada76e6eccfdadad187eeb8d8d0100be1ef2585208c6386e1b8c
                                    • Instruction ID: 68188b716c597ba2454006a770e04dc998f47284cefde86802b5d3156dfe9b73
                                    • Opcode Fuzzy Hash: 67d60e91d2c9ada76e6eccfdadad187eeb8d8d0100be1ef2585208c6386e1b8c
                                    • Instruction Fuzzy Hash: ED312631604229BFEF258F24DC85FE93762EB84360F244229F91DDB2E0EBB59D809754
                                    Function 00BBAE10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 232fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?), ref: 00BBAEA9
                                    • CloseHandle.KERNEL32(00000000), ref: 00BBAED0
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                      • Part of subcall function 00BBCA40: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00BE4C1A,80070057,83C8296E,?,?,?,00C8E7D0,000000FF,?,00BBC8D7), ref: 00BBCA7D
                                      • Part of subcall function 00BBCA40: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00BBCAAE
                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?), ref: 00BBAF45
                                    • CloseHandle.KERNEL32(00000000), ref: 00BBAF97
                                      • Part of subcall function 00BBC860: WideCharToMultiByte.KERNEL32(00000003,00000000,00BE4C1A,000000FF,00000000,00000000,00000000,00000000,?,?,?,00BE4C1A,?,?), ref: 00BBC87C
                                      • Part of subcall function 00BBC860: WideCharToMultiByte.KERNEL32(00000003,00000000,00BE4C1A,000000FF,?,-00000001,00000000,00000000,?,?,?,00BE4C1A,?,?), ref: 00BBC8B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$CloseFileHandleInit_thread_footer$CreateFindHeapProcessResourceWrite
                                    • String ID: .bat$EXE$open
                                    • API String ID: 4275363648-2898749727
                                    • Opcode ID: aa826078c0210201d3ef88754e0165b151491d66e8bd3da0989c0b14463ddbe1
                                    • Instruction ID: 4206d46163f58a98ff2d861f87fe92291e17133b6ccde814bbc7c7209ce21461
                                    • Opcode Fuzzy Hash: aa826078c0210201d3ef88754e0165b151491d66e8bd3da0989c0b14463ddbe1
                                    • Instruction Fuzzy Hash: 0AA16A70901648EFDB10DFA8C948BADFBF4FF49314F248299E415AB2A1DBB49944CF51
                                    Function 00AE6CD0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00AE6DBF
                                      • Part of subcall function 00C670C8: EnterCriticalSection.KERNEL32(00D75CD8,?,?,00AD9F37,00D76904,00CE7320), ref: 00C670D2
                                      • Part of subcall function 00C670C8: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9F37,00D76904,00CE7320), ref: 00C67105
                                      • Part of subcall function 00C670C8: RtlWakeAllConditionVariable.NTDLL ref: 00C6717C
                                    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 00AE6E13
                                    • CloseHandle.KERNEL32(00000000), ref: 00AE6E70
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 00AE6ED4
                                    • CloseHandle.KERNEL32(00000000,?), ref: 00AE6EFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
                                    • String ID: aix$html
                                    • API String ID: 2030708724-2369804267
                                    • Opcode ID: 5be6f8ffe960f14bd23125a400201d85f32addd6800151422d847871c167ef6d
                                    • Instruction ID: c70219abbbb2f615ea53af943d246d409e7f654f0dcb75c177c64fba6b8dd66d
                                    • Opcode Fuzzy Hash: 5be6f8ffe960f14bd23125a400201d85f32addd6800151422d847871c167ef6d
                                    • Instruction Fuzzy Hash: 9061CEB0904348DFDB20CFA4DD59B9EBBF4FB04308F104959E015AB392EBB55A48CBA5
                                    Function 00AD2860 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00D77028,00000000,83C8296E,00000000,00CC7533,000000FF,?,83C8296E), ref: 00AD29D3
                                    • GetLastError.KERNEL32(?,83C8296E), ref: 00AD29DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CountCriticalErrorInitializeLastSectionSpin
                                    • String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
                                    • API String ID: 439134102-34576578
                                    • Opcode ID: f0915fd58aa939826584377c01e1da16b67f7941c86f4d1b6a9a3863b2282b22
                                    • Instruction ID: 4a49b7bcb191ed71d98ab70f618d73cb7407d5316ce7b9ebc8c84486d7db7131
                                    • Opcode Fuzzy Hash: f0915fd58aa939826584377c01e1da16b67f7941c86f4d1b6a9a3863b2282b22
                                    • Instruction Fuzzy Hash: A35190B1904705DBCB20CFA5ED4579EBBF4EB04724F104A2AD819E7390E7759A48CBB1
                                    Function 00BB2E80 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00BB2F10
                                      • Part of subcall function 00C670C8: EnterCriticalSection.KERNEL32(00D75CD8,?,?,00AD9F37,00D76904,00CE7320), ref: 00C670D2
                                      • Part of subcall function 00C670C8: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9F37,00D76904,00CE7320), ref: 00C67105
                                      • Part of subcall function 00C670C8: RtlWakeAllConditionVariable.NTDLL ref: 00C6717C
                                    • GetProcAddress.KERNEL32(SetWindowTheme), ref: 00BB2F4D
                                    • __Init_thread_footer.LIBCMT ref: 00BB2F64
                                    • SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00BB2F8F
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                      • Part of subcall function 00B92620: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00B92661
                                      • Part of subcall function 00B92620: _wcschr.LIBVCRUNTIME ref: 00B9271F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake_wcschr
                                    • String ID: SetWindowTheme$UxTheme.dll$explorer
                                    • API String ID: 3852524043-3123591815
                                    • Opcode ID: 8ff54a42e1f1bce51bc68b271505bf71394942c62dba7d3edd430397d8a31359
                                    • Instruction ID: 8fb1f45a4496882d99a9f98ceb54f6905be5706b7815aa5e4c1f083555a28782
                                    • Opcode Fuzzy Hash: 8ff54a42e1f1bce51bc68b271505bf71394942c62dba7d3edd430397d8a31359
                                    • Instruction Fuzzy Hash: F0219EB0A48700ABC720CF64EC42BA977A4F705B20F104A25F419E73D0E7B0AA458B75
                                    Function 00AE9A20 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00AE9A4A
                                    • GetWindow.USER32(?,00000005), ref: 00AE9A57
                                    • GetWindow.USER32(00000000,00000002), ref: 00AE9B92
                                      • Part of subcall function 00AE98A0: GetWindowRect.USER32(?,?), ref: 00AE98CC
                                      • Part of subcall function 00AE98A0: GetWindowRect.USER32(?,?), ref: 00AE98DC
                                    • GetWindowRect.USER32(?,?), ref: 00AE9AEB
                                    • GetWindowRect.USER32(00000000,?), ref: 00AE9AFB
                                    • GetWindowRect.USER32(00000000,?), ref: 00AE9B15
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Rect
                                    • String ID:
                                    • API String ID: 3200805268-0
                                    • Opcode ID: b3709df2d54d572bcaab74174520573810f503d7bb3862e640ee286641eed58a
                                    • Instruction ID: e9a8a5b3e2603e827b31fc6a0599f897c3f9efe296160ed9f6b86765b4652180
                                    • Opcode Fuzzy Hash: b3709df2d54d572bcaab74174520573810f503d7bb3862e640ee286641eed58a
                                    • Instruction Fuzzy Hash: 694169315047809BC721DF2AD980E6BF7F9BF9A704F504A1DF08693561EB30E989CB62
                                    Function 00C66656 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00C66800,00000000,?,?,00AE0C24,?), ref: 00C6667A
                                    • HeapAlloc.KERNEL32(00000000,?,?,00AE0C24,?), ref: 00C66681
                                      • Part of subcall function 00C6674C: IsProcessorFeaturePresent.KERNEL32(0000000C,00C66668,00000000,?,00C66800,00000000,?,?,00AE0C24,?), ref: 00C6674E
                                    • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00C66800,00000000,?,?,00AE0C24,?), ref: 00C66691
                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,00AE0C24,?), ref: 00C666B8
                                    • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,00AE0C24,?), ref: 00C666CC
                                    • InterlockedPopEntrySList.KERNEL32(00000000,?,?,00AE0C24,?), ref: 00C666DF
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00AE0C24,?), ref: 00C666F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                    • String ID:
                                    • API String ID: 2460949444-0
                                    • Opcode ID: 70aaed719cf0d4392dae2e8b34377b93df628b10b1fa3b71f5c0552c4180e285
                                    • Instruction ID: 35b77324f87de620e9817faa73f57e00fb7f7be289500c08ae4ac148b8e96037
                                    • Opcode Fuzzy Hash: 70aaed719cf0d4392dae2e8b34377b93df628b10b1fa3b71f5c0552c4180e285
                                    • Instruction Fuzzy Hash: B211C1B1640761BBEB325B64FCC8F2FB6ACFB08789F140021FA05EA251DA70DC0086B5
                                    Function 00C014F0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 454synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C03390: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00C0152A,?,83C8296E,?,?,?,000000FF,?,00C00EF4), ref: 00C0339D
                                      • Part of subcall function 00C03390: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00C0152A,?,83C8296E,?,?,?,000000FF,?,00C00EF4,?), ref: 00C033BE
                                      • Part of subcall function 00C03390: GetLastError.KERNEL32(?,83C8296E,?,?,?,000000FF,?,00C00EF4,?,?,00000000,00000000,83C8296E,?,?), ref: 00C0341E
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • ResetEvent.KERNEL32(?,00000000,00CD499D), ref: 00C015FA
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00C01619
                                    • WaitForSingleObject.KERNEL32(83C8296E,000000FF), ref: 00C01620
                                      • Part of subcall function 00AD9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,00AE6AC0,-00000010,?,00C11897,00000008,83C8296E), ref: 00AD9143
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Event$CreateInit_thread_footerObjectSingleWait$ErrorFindHeapLastProcessResetResource
                                    • String ID: GET$attachment$filename
                                    • API String ID: 818129584-3911147371
                                    • Opcode ID: 2c9078137ba7d262c1d49d4e532677afceb4e1ee81dff1c71f312f739e7d647c
                                    • Instruction ID: ff94f98b187fb96f75a2555b83365a8b77b39cda1971b13cf7ccbe80421eb649
                                    • Opcode Fuzzy Hash: 2c9078137ba7d262c1d49d4e532677afceb4e1ee81dff1c71f312f739e7d647c
                                    • Instruction Fuzzy Hash: FE026C71A01249DFDB10DFA8C944BAEFBF4FF14314F188169E815AB391EB759A04CBA1
                                    Function 00C17C60 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 365COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • _wcschr.LIBVCRUNTIME ref: 00C17D2B
                                    • _wcschr.LIBVCRUNTIME ref: 00C17DD2
                                    • _wcschr.LIBVCRUNTIME ref: 00C17DF1
                                      • Part of subcall function 00AD9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,00AE6AC0,-00000010,?,00C11897,00000008,83C8296E), ref: 00AD9143
                                    • _wcschr.LIBVCRUNTIME ref: 00C17E93
                                    • GetTickCount.KERNEL32 ref: 00C1803A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: _wcschr$Init_thread_footer$CountFindHeapProcessResourceTick
                                    • String ID: 0123456789AaBbCcDdEeFf
                                    • API String ID: 2181188311-3822820098
                                    • Opcode ID: 5d354a8d2660c13d6cc9083398e06f0df72fb2f805376b80da87c6a2df49e84a
                                    • Instruction ID: 932923e1154d9ba616647591eb40ef78af4b354f16adbe7d9b471d401e16b797
                                    • Opcode Fuzzy Hash: 5d354a8d2660c13d6cc9083398e06f0df72fb2f805376b80da87c6a2df49e84a
                                    • Instruction Fuzzy Hash: 47D1E171A04A058FDB20CF68C888BAAB7F5EF4A310F14875DE46697391DB34ED85DB90
                                    Function 00BD1A30 Relevance: 10.8, APIs: 7, Instructions: 294fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,83C8296E,?,00000000), ref: 00BD1AB9
                                    • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 00BD1B29
                                    • CloseHandle.KERNEL32(?), ref: 00BD1D2E
                                    • ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00BD1DB5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: File$Read$CloseCreateHandle
                                    • String ID:
                                    • API String ID: 1724936099-0
                                    • Opcode ID: 48118c72c89d4a60aa53d01307c99e475a18ffaaf831c92fd1aa94d5d55c08f1
                                    • Instruction ID: a992f99995ae8904095b577c50f71558ac4efdd37fa795e5bf083b6f76848335
                                    • Opcode Fuzzy Hash: 48118c72c89d4a60aa53d01307c99e475a18ffaaf831c92fd1aa94d5d55c08f1
                                    • Instruction Fuzzy Hash: 47C18171D01248EBDB24CFA8C985BAEF7F5EF44704F24459AD415AB381E770AE45CB90
                                    Function 00AE4F10 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 269COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(00D77008,83C8296E,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00C91605), ref: 00AE4F7A
                                    • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00C91605), ref: 00AE4FFA
                                    • EnterCriticalSection.KERNEL32(00D77024,?,?,?,?,?,?,?,?,?,?,?,00000000,00C91605,000000FF), ref: 00AE51B3
                                    • LeaveCriticalSection.KERNEL32(00D77024,?,?,?,?,?,?,?,?,?,?,00000000,00C91605,000000FF), ref: 00AE51D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Enter$FileLeaveModuleName
                                    • String ID: v
                                    • API String ID: 1807155316-3261393531
                                    • Opcode ID: a27636fb6dd7244772e751c342ab80edcc42e51ea2124985029214352e1b4a4c
                                    • Instruction ID: eaade5b81c7651ed21c92e54bc81d29af4b4c2f4287c178857c3b40abd4fc8a2
                                    • Opcode Fuzzy Hash: a27636fb6dd7244772e751c342ab80edcc42e51ea2124985029214352e1b4a4c
                                    • Instruction Fuzzy Hash: ABB15D70E00789DFDB10DFA9E898BAEBBB4BF09318F144158E904EB351D775A944CB61
                                    Function 00AE0ED0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 194comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(00CF480C,00000000,00000001,00CF4E94,?), ref: 00AE0FA0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CreateInstance
                                    • String ID: :${
                                    • API String ID: 542301482-3766677574
                                    • Opcode ID: 942d26a05fa5be3daad6c95dfa796433fef6b26e34f79c32eee0475d5fb615b1
                                    • Instruction ID: 17f6908569c7d20be77f2a25b8ae6a405a071256b061f2bd417e09d430f99521
                                    • Opcode Fuzzy Hash: 942d26a05fa5be3daad6c95dfa796433fef6b26e34f79c32eee0475d5fb615b1
                                    • Instruction Fuzzy Hash: 96619E74A002959BDF348F9AD884FBEB7B4EB09714F144469F946EB280E7B59CC0CB61
                                    Function 00B05053 Relevance: 10.7, APIs: 7, Instructions: 184memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysFreeString.OLEAUT32(?), ref: 00B050E4
                                    • SysFreeString.OLEAUT32(00000000), ref: 00B05159
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00B051BF
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00B051C5
                                    • GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 00B051F5
                                    • HeapFree.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B051FB
                                    • SysFreeString.OLEAUT32(00000000), ref: 00B05213
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Free$Heap$String$Process
                                    • String ID:
                                    • API String ID: 2680101141-0
                                    • Opcode ID: 917cf66348373c3adc1769a85ff3b615569c960f7a5266c8b59bd3b377b19c83
                                    • Instruction ID: 209b7a6ac17edbe7ce0aa1111f30fe936dd48cce51a717abcd302ea17be6f4a4
                                    • Opcode Fuzzy Hash: 917cf66348373c3adc1769a85ff3b615569c960f7a5266c8b59bd3b377b19c83
                                    • Instruction Fuzzy Hash: 4F617AB0D006599BDF21DFA8C885BAFBBF4FF05310F144199E811A76C2DB789A05CBA1
                                    Function 00AE25E0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(00D77250,83C8296E,00000000,00D7726C), ref: 00AE2653
                                    • LeaveCriticalSection.KERNEL32(00D77250), ref: 00AE26B8
                                    • LoadCursorW.USER32(00AD0000,?), ref: 00AE2714
                                    • LeaveCriticalSection.KERNEL32(00D77250), ref: 00AE27AB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Leave$CursorEnterLoad
                                    • String ID: v$ATL:%p
                                    • API String ID: 2080323225-109518622
                                    • Opcode ID: ebe82797c7a18f97e533953a75bce1d8f20b0e6a40bd02dcacb3b2dd9192d8ca
                                    • Instruction ID: 2607ee818f3b2928d47cf391d35754fb63ebc977b8e3f918a4b07022aba488b0
                                    • Opcode Fuzzy Hash: ebe82797c7a18f97e533953a75bce1d8f20b0e6a40bd02dcacb3b2dd9192d8ca
                                    • Instruction Fuzzy Hash: 3F51AE70904B488FDB21CF69C945BAAB7F4FF58314F00861DE899A7790E770B584CB60
                                    Function 00AFBC60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00AFBCD5
                                    • lstrcpynW.KERNEL32(?,?,00000020), ref: 00AFBD4B
                                    • MulDiv.KERNEL32(?,00000048,00000000), ref: 00AFBD88
                                    • SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00AFBDBA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$lstrcpyn
                                    • String ID: ?$t
                                    • API String ID: 3928028829-1995845436
                                    • Opcode ID: 4e1320a8b9040eb4672dea219a2f8278f2bd5bf015375e7d6f1d023a4948896e
                                    • Instruction ID: f7c3a9675bc7eba2dd1727632e6d6fb64f9ed39e81b49f3b640668a3428ba43c
                                    • Opcode Fuzzy Hash: 4e1320a8b9040eb4672dea219a2f8278f2bd5bf015375e7d6f1d023a4948896e
                                    • Instruction Fuzzy Hash: 07516FB1508744AFE731DF60D84AB9BBBE8EB88700F00491DF299D6291E7B4D548CB63
                                    Function 00BFF550 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,83C8296E,?,?), ref: 00BFF597
                                    • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,83C8296E,00CD450D), ref: 00BFF60F
                                    • GetLastError.KERNEL32 ref: 00BFF620
                                    • WaitForSingleObject.KERNEL32(00CD450D,000000FF), ref: 00BFF63C
                                    • GetExitCodeProcess.KERNEL32(00CD450D,00000000), ref: 00BFF64D
                                    • CloseHandle.KERNEL32(00CD450D), ref: 00BFF657
                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00BFF672
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
                                    • String ID:
                                    • API String ID: 1153077990-0
                                    • Opcode ID: 5aabb4589e40269a047038e83b45be1e10499836c03a26e6c98dd9dfbae39cd0
                                    • Instruction ID: 42fe7751580a3a0f51b452e0a7d569ea0de4d1cf66072767f544ecc68f30f87e
                                    • Opcode Fuzzy Hash: 5aabb4589e40269a047038e83b45be1e10499836c03a26e6c98dd9dfbae39cd0
                                    • Instruction Fuzzy Hash: 0D417E71E0038AABDB10CFA4CD487EEBBF4EF49314F14966AE524E7290DB749A44CB50
                                    Function 00C11C40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000010,?,00000000,00BF7731,00000000,83C8296E,?,00000010,00000000), ref: 00C11C5B
                                    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00C11C71
                                    • FreeLibrary.KERNEL32(00000000), ref: 00C11CAA
                                    • FreeLibrary.KERNEL32(00000000,?,00000010,?,00000000,00BF7731,00000000,83C8296E,?,00000010,00000000), ref: 00C11CC6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Library$Free$AddressLoadProc
                                    • String ID: DllGetVersion$Shlwapi.dll
                                    • API String ID: 1386263645-2240825258
                                    • Opcode ID: 96c1e53f5dc5b99200bccc13eb2d4858d74af763217f1b52b718fbe34d0eb537
                                    • Instruction ID: 0a141a3ef665c1d0bbd87751cceb8ced28ad1ca27c4bfe44fb3277ee0b14733d
                                    • Opcode Fuzzy Hash: 96c1e53f5dc5b99200bccc13eb2d4858d74af763217f1b52b718fbe34d0eb537
                                    • Instruction Fuzzy Hash: 14219F726047015BC710EF29E881AAFB7E4FFDD710B84056EF999C7201EB35D94897A2
                                    Function 00C80FA2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,00C810AF,?,?,?,00000000,00000000,?,00C812D9,00000021,FlsSetValue,00CEDF90,00CEDF98,?), ref: 00C81063
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 3664257935-537541572
                                    • Opcode ID: 8e95b5f2a73deddb661300a54e729a423dcac9447a55d1b12ef8edafd65117d7
                                    • Instruction ID: 0c1c26c99715e3c66279941fcd288541ba68618dc6ef431d3ba2dc9139695f26
                                    • Opcode Fuzzy Hash: 8e95b5f2a73deddb661300a54e729a423dcac9447a55d1b12ef8edafd65117d7
                                    • Instruction Fuzzy Hash: 8621F375A01294ABC732AB659C84B5A33ACEB453A8F280124ED29A7280E770EF41C7D4
                                    Function 00C64068 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00C640E3,00C64046,00C642E7), ref: 00C6407F
                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00C64095
                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00C640AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                    • API String ID: 667068680-1718035505
                                    • Opcode ID: beeab7d8ab9a0478202ebaf7b192b199d5816eaaf001692423322b2a58ae6fb9
                                    • Instruction ID: a007487adfe4ab0d5432d36a5235bc3ac075501286b266d38cb837c02143706c
                                    • Opcode Fuzzy Hash: beeab7d8ab9a0478202ebaf7b192b199d5816eaaf001692423322b2a58ae6fb9
                                    • Instruction Fuzzy Hash: 94F0C2716017B2DF5F395E725CD426B72ECDA093513104239EB22D7350EAA1CE859BE2
                                    Function 00AFE350 Relevance: 9.2, APIs: 6, Instructions: 178windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00AFE3B7
                                    • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00AFE3DF
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AFE3F7
                                    • SendMessageW.USER32(?,0000130A,00000000,?), ref: 00AFE428
                                    • GetParent.USER32(?), ref: 00AFE504
                                    • SendMessageW.USER32(00000000,00000136,?,?), ref: 00AFE515
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$Parent
                                    • String ID:
                                    • API String ID: 1020955656-0
                                    • Opcode ID: bf142f0a02a7437c8caf8d664175df064790c2a50e32719904672c7dbebefa05
                                    • Instruction ID: 334b5869fbfca34553ecb0549d8280fe8546c80d3a87e9802175559217c5a6fb
                                    • Opcode Fuzzy Hash: bf142f0a02a7437c8caf8d664175df064790c2a50e32719904672c7dbebefa05
                                    • Instruction Fuzzy Hash: CC612671900718AFDB119FE4EC09BAEBBB9FF08710F100119F619EB2A4D7B16980CB65
                                    Function 00BDA3B0 Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00BDA3E2
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00BDA3E8
                                    • GetDlgItem.USER32(?,?), ref: 00BDA45A
                                    • GetWindowRect.USER32(00000000,?), ref: 00BDA472
                                    • SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 00BDA4FF
                                    • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00BDA533
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$ItemLongRect
                                    • String ID:
                                    • API String ID: 3432912040-0
                                    • Opcode ID: 04f34dfdb181ff164705de20eae9793c293a601be675434809e8474be97db121
                                    • Instruction ID: 4631b9f81d4b3785be1db54b38f48c87bb92124134181fcdb3dfa4a6a07315a3
                                    • Opcode Fuzzy Hash: 04f34dfdb181ff164705de20eae9793c293a601be675434809e8474be97db121
                                    • Instruction Fuzzy Hash: B6516C302047019FD724CF28D989B2ABBE1FF84708F144A5DF5899B3A5E7B1E994CB52
                                    Function 00BB2C50 Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00BB2CBB
                                    • GetParent.USER32(00000000), ref: 00BB2D0E
                                    • GetWindowRect.USER32(00000000), ref: 00BB2D11
                                    • GetParent.USER32(00000000), ref: 00BB2D20
                                      • Part of subcall function 00B6FEF0: GetWindowRect.USER32(?,?), ref: 00B6FF82
                                      • Part of subcall function 00B6FEF0: GetWindowRect.USER32(?,?), ref: 00B6FF9A
                                    • SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00BB2E10
                                    • SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00BB2E23
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageRectSendWindow$Parent
                                    • String ID:
                                    • API String ID: 425339167-0
                                    • Opcode ID: 906aa99159923a3ae18aa0acc66de8453c04bfe186bdf3e0ece882a4fd80777c
                                    • Instruction ID: 9adf4bd2025643a59a56929b31631820f0a24fce3f6b4d4ffde66cf409f62e6a
                                    • Opcode Fuzzy Hash: 906aa99159923a3ae18aa0acc66de8453c04bfe186bdf3e0ece882a4fd80777c
                                    • Instruction Fuzzy Hash: 25513871D00708ABDB21DFA8DD45BDEBBF8EF59710F144319E809A7291EBB06980CB60
                                    Function 00BC6F60 Relevance: 9.2, APIs: 6, Instructions: 153COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BC6FAA
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BC6FCC
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BC6FF4
                                    • __Getctype.LIBCPMT ref: 00BC70D5
                                    • std::_Facet_Register.LIBCPMT ref: 00BC7137
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BC7161
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                    • String ID:
                                    • API String ID: 1102183713-0
                                    • Opcode ID: 54bf16bac9bf393f926038dc68faf7af6176682963a4aa3b898e3ecc12c2aa5d
                                    • Instruction ID: 3174c8ecfb8ff9792fbae0463913852f9431302e52db23a3096baecedab6e77c
                                    • Opcode Fuzzy Hash: 54bf16bac9bf393f926038dc68faf7af6176682963a4aa3b898e3ecc12c2aa5d
                                    • Instruction Fuzzy Hash: 3E6190B1C05649CBDB20CF58D941BAABBF4FB14310F14829DD849AB351EB74AA84CFA1
                                    Function 00AFFCA0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 370windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AFFCED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ' AND `Control_`='$AiTabPage$ControlEvent$`Dialog_`='
                                    • API String ID: 3850602802-1655181372
                                    • Opcode ID: acf4a6bbcab41982615190cd05f64aaf8729313802b9e20884a2363e1741493a
                                    • Instruction ID: 1e19ed6734e03ed8a5a48633fac322bc9969ba00a681260f230d754aa15f7de1
                                    • Opcode Fuzzy Hash: acf4a6bbcab41982615190cd05f64aaf8729313802b9e20884a2363e1741493a
                                    • Instruction Fuzzy Hash: B0F16671900288DFDB14DF68C989BEE7BF1FF08304F5441A9E915AB392D774AA44CB90
                                    Function 00C68769 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,00C68760,00C6872C,?,?,00B0254D,00BD1180,?,00000008), ref: 00C68777
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C68785
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C6879E
                                    • SetLastError.KERNEL32(00000000,00C68760,00C6872C,?,?,00B0254D,00BD1180,?,00000008), ref: 00C687F0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: e880685a891b945091f970399659fcb2eadb7bbe79d34fefe8e93e32144a871f
                                    • Instruction ID: da3fcd10786d107ffe2706c63661b51ee05589bb1efadbd35973e648e4da3b17
                                    • Opcode Fuzzy Hash: e880685a891b945091f970399659fcb2eadb7bbe79d34fefe8e93e32144a871f
                                    • Instruction Fuzzy Hash: 6701843220D7119EA73427B5BCC9B2B2B94EB11775730033AF534D56E2EF954C45A270
                                    Function 00BE4B10 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 287COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetShortPathNameW.KERNEL32(83C8296E,00000000,00000000), ref: 00BE4B6F
                                    • GetShortPathNameW.KERNEL32(?,?,?), ref: 00BE4BDD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: NamePathShort
                                    • String ID: neutral$x64$x86
                                    • API String ID: 1295925010-1541741584
                                    • Opcode ID: 6505bf781296cfa587bc2c30f022f164622589ea36e5f4020c5ea315fa03f4a5
                                    • Instruction ID: e1744bcfa5fca20527e6313e425bb53f9e3345a0349cda0c060bf626304162dd
                                    • Opcode Fuzzy Hash: 6505bf781296cfa587bc2c30f022f164622589ea36e5f4020c5ea315fa03f4a5
                                    • Instruction Fuzzy Hash: 5BB1B171A00248EFDB14DFA4C849BDEBBF5EF44324F108299E415AB391DB74AA44CBA4
                                    Function 00BDA570 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 266COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,?,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 00BDA85B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID: Close$Copy$Details >>$Send Error Report
                                    • API String ID: 4139908857-113472931
                                    • Opcode ID: 509a42c8e46b9b09998210d20e5453cac36401cceacf52b3f683fa9bb0b007b1
                                    • Instruction ID: df9f44253c5ee30fd1e71e2e2b71797fd58bfc30d33e900c8c1e83ee74c4cb2c
                                    • Opcode Fuzzy Hash: 509a42c8e46b9b09998210d20e5453cac36401cceacf52b3f683fa9bb0b007b1
                                    • Instruction Fuzzy Hash: 4DA17D70A40205EBEB14CF60CC56FAEB7B5EF44714F00426AF511BB3D0EBB1A9058B55
                                    Function 00C110D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 244fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsrchr.LIBVCRUNTIME ref: 00C11104
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • DeleteFileW.KERNEL32(?), ref: 00C111AA
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 00C112DF
                                      • Part of subcall function 00C00510: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,83C8296E,00000001,7508EB20,00000000), ref: 00C0055F
                                      • Part of subcall function 00C00510: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,83C8296E,00000001,7508EB20,00000000), ref: 00C00595
                                      • Part of subcall function 00BFD930: LoadStringW.USER32(000000CA,?,00000514,83C8296E), ref: 00BFD986
                                    • _wcsrchr.LIBVCRUNTIME ref: 00C11219
                                    Strings
                                    • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 00C1115E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: File$DeleteInit_thread_footer_wcsrchr$CreateHeapLoadProcessReadString
                                    • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                    • API String ID: 675357196-3685554107
                                    • Opcode ID: 9663cee19f2be11ba45022ee92f985c5aff1d359a3337715528da19573cb346f
                                    • Instruction ID: 33f1b762f3fa680160a2eb335de33befae18193ecc57292927369528557c46fe
                                    • Opcode Fuzzy Hash: 9663cee19f2be11ba45022ee92f985c5aff1d359a3337715528da19573cb346f
                                    • Instruction Fuzzy Hash: EA91B3319006459FDB00DF68C844B9EFBB5FF45320F1882A9E925DB3A2EB35D904CB90
                                    Function 00AD8860 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00AD8945
                                    • __Init_thread_footer.LIBCMT ref: 00AD89BF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: </a>$<a href="$<a>
                                    • API String ID: 1385522511-4210067781
                                    • Opcode ID: 2a77f026c680dcc2134d62847f4c0ebeae48e38880ed25561a982c0950f69aa9
                                    • Instruction ID: f57cf235ffce29c3b9213ede73d3668564c73788d3b1718a8b50143ecae64b50
                                    • Opcode Fuzzy Hash: 2a77f026c680dcc2134d62847f4c0ebeae48e38880ed25561a982c0950f69aa9
                                    • Instruction Fuzzy Hash: 2DA1C270A04304DFCB14DF68D855BADB7B1FF45314F50466AE816AB3E1EB74A984CBA0
                                    Function 00AFE140 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 00AFE23D
                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00AFE252
                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00AFE25A
                                      • Part of subcall function 00AD9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                      • Part of subcall function 00AFFCA0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AFFCED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$AllocateCreateHeapWindow
                                    • String ID: SysTabControl32$TabHost
                                    • API String ID: 2359350451-2872506973
                                    • Opcode ID: acca13c6bf713149ff6603f0a49c54e9bc6d61e53993f38060e88bc728ef6ed5
                                    • Instruction ID: 441248da43f3a153d8a5c26393519b473527054c82d2c9e9c2b1a56b8827a0af
                                    • Opcode Fuzzy Hash: acca13c6bf713149ff6603f0a49c54e9bc6d61e53993f38060e88bc728ef6ed5
                                    • Instruction Fuzzy Hash: 5651AF31A006099FDB14DFA9C844BAEBBF5FF49310F10426AF915E73A1DB71A900CBA0
                                    Function 00AE6F40 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,83C8296E), ref: 00AE6FE1
                                    • GetLastError.KERNEL32 ref: 00AE700A
                                    • RegCloseKey.ADVAPI32(?,00000000,00000000,?,00CF438C,00000000,00000000,80000001,00000000,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00AE7153
                                    Strings
                                    • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00AE6FD6
                                    • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00AE704A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorEventLast
                                    • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                    • API String ID: 1713683948-2079760225
                                    • Opcode ID: 78be1c7dac739703855cacf2c5a9b0d30e5e9f1daffec2a70a24467e379e41c9
                                    • Instruction ID: cf37f9ce997e1b8021b794a6de06008cc28f17c7ee858bcdece0353b5b607ad4
                                    • Opcode Fuzzy Hash: 78be1c7dac739703855cacf2c5a9b0d30e5e9f1daffec2a70a24467e379e41c9
                                    • Instruction Fuzzy Hash: 1D616D70D04789EEDB10CF68C945B9EFBF4AF14304F108299E459A7381EBB4AA48CB91
                                    Function 00BF76D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFilesFolder
                                    • API String ID: 0-3551742416
                                    • Opcode ID: ed170bd65668c8c7ea5d8befbc0f079e58e7273c391c5b56883f275a0a0d760b
                                    • Instruction ID: 50f76e305deeb68bf8cd3dc5b305810ea980e64f28319113b7f41200ef69f642
                                    • Opcode Fuzzy Hash: ed170bd65668c8c7ea5d8befbc0f079e58e7273c391c5b56883f275a0a0d760b
                                    • Instruction Fuzzy Hash: 3421F332A44609ABDB249F68D844BBAB3E5FB44724F500AFAE915D7390EB31DD44C7A0
                                    Function 00C6B91C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,00C6B9DF,?,?,00000000,?,?,00C6BA91,00000002,FlsGetValue,00CEB0D0,00CEB0D8), ref: 00C6B9AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-
                                    • API String ID: 3664257935-2084034818
                                    • Opcode ID: 6e6eddf6cb7a3d934f0ef5cbdbfc4e28837572accb6c4bd714babb063a44a4cf
                                    • Instruction ID: 33e5395fdc95b1e288d8995dfb80988fa92463bd21d55d29b3c57c89f0fc1437
                                    • Opcode Fuzzy Hash: 6e6eddf6cb7a3d934f0ef5cbdbfc4e28837572accb6c4bd714babb063a44a4cf
                                    • Instruction Fuzzy Hash: 51117371A01665ABCB329B699CC5B6E33B4AF06770F250120FE65EB2C0E770EF4086D5
                                    Function 00C7D862 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,83C8296E,?,?,00000000,00CE7106,000000FF,?,00C7D7F2,?,?,00C7D7C6,?), ref: 00C7D897
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C7D8A9
                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,00CE7106,000000FF,?,00C7D7F2,?,?,00C7D7C6,?), ref: 00C7D8CB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: 77794e9d488397df6e41be9add8038ef85a3cf9a47abbf83366c9ed395cc6115
                                    • Instruction ID: 3500a22528e25075dc8d833d7cc97a8428bae9d53b64bdab0230e590f47305bf
                                    • Opcode Fuzzy Hash: 77794e9d488397df6e41be9add8038ef85a3cf9a47abbf83366c9ed395cc6115
                                    • Instruction Fuzzy Hash: 4701A231A04699EFCF118F50DC45FAEBBB8FF04B10F008135E826E62D0DBB49900CAA0
                                    Function 00BD8850 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                    • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00BD88AE
                                    • GetProcAddress.KERNEL32(00000000), ref: 00BD88B5
                                    • __Init_thread_footer.LIBCMT ref: 00BD88CC
                                      • Part of subcall function 00C670C8: EnterCriticalSection.KERNEL32(00D75CD8,?,?,00AD9F37,00D76904,00CE7320), ref: 00C670D2
                                      • Part of subcall function 00C670C8: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9F37,00D76904,00CE7320), ref: 00C67105
                                      • Part of subcall function 00C670C8: RtlWakeAllConditionVariable.NTDLL ref: 00C6717C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
                                    • String ID: Dbghelp.dll$SymFromAddr
                                    • API String ID: 3268644551-642441706
                                    • Opcode ID: 0e6099ed07a3db694b1f9e87a927099747fbb432be7eb15b8f0bb86dd7cdd622
                                    • Instruction ID: be55080c2d4e0e1ac42c9a3fda3fbf09213ed432a869f74279b018b4b2b88420
                                    • Opcode Fuzzy Hash: 0e6099ed07a3db694b1f9e87a927099747fbb432be7eb15b8f0bb86dd7cdd622
                                    • Instruction Fuzzy Hash: 02018C71A49744DFC720CF58ED86F1AB3A4E708730F104A66E919C33E0E735A5008B20
                                    Function 00C6719A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • SleepConditionVariableCS.KERNELBASE(?,00C67137,00000064), ref: 00C671BD
                                    • LeaveCriticalSection.KERNEL32(00D75CD8,?,?,00C67137,00000064,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E), ref: 00C671C7
                                    • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00C67137,00000064,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E), ref: 00C671D8
                                    • EnterCriticalSection.KERNEL32(00D75CD8,?,00C67137,00000064,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010), ref: 00C671DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                    • String ID: v
                                    • API String ID: 3269011525-3261393531
                                    • Opcode ID: d580df410bbcd79f4b64820a305db8ba614eb219be4fa19626e88489934b0a9f
                                    • Instruction ID: 6fd7f2c18a3f394967e58a4130794ea05f279ef11b958870ecc3825169bd4166
                                    • Opcode Fuzzy Hash: d580df410bbcd79f4b64820a305db8ba614eb219be4fa19626e88489934b0a9f
                                    • Instruction Fuzzy Hash: 5CE09232580764FBCB121F91FD48BCD3F18EB09B11B104011FA0DEA264DBB009408BE2
                                    Function 00AF0670 Relevance: 7.7, APIs: 5, Instructions: 234windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AF28C0: __Init_thread_footer.LIBCMT ref: 00AF292F
                                    • SendMessageW.USER32(?,0000104D,00000000,00000000), ref: 00AF07B2
                                    • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00AF0867
                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00AF0906
                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00AF09B1
                                      • Part of subcall function 00AE2A50: RaiseException.KERNEL32(83C8296E,83C8296E,00000000,00000000,00C1197B,C000008C,00000001,83C8296E), ref: 00AE2A5C
                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00AF0A37
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$ExceptionInit_thread_footerRaise
                                    • String ID:
                                    • API String ID: 3442259968-0
                                    • Opcode ID: 002039e4a27973fb201e2c0229b601a8b13fc8598c282a9ab9fda0b5e1d61c33
                                    • Instruction ID: 7862de59931ec29bb4091e49483cd3be7e344f23245366a186db9ff8428ed6c5
                                    • Opcode Fuzzy Hash: 002039e4a27973fb201e2c0229b601a8b13fc8598c282a9ab9fda0b5e1d61c33
                                    • Instruction Fuzzy Hash: 0BB11CB1D0135DDBEB20DF54CD54BDABBB1BF48308F109299EA186B281E7B55A84CF90
                                    Function 00B36D80 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 227memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B36F9E
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00B36FA4
                                    • GetProcessHeap.KERNEL32(-000000FF,00000000), ref: 00B36FCF
                                    • HeapFree.KERNEL32(00000000,-000000FF,00000000), ref: 00B36FD5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID: _TEMP
                                    • API String ID: 3859560861-1625495653
                                    • Opcode ID: 2ac16a6893887147810f28ccc0f26f83f1a5942a7bf4c082473caddadd03b9b1
                                    • Instruction ID: 39887356871668ac525e64949d7012347d5b2cc782a3bab194dead3175948229
                                    • Opcode Fuzzy Hash: 2ac16a6893887147810f28ccc0f26f83f1a5942a7bf4c082473caddadd03b9b1
                                    • Instruction Fuzzy Hash: BA916CB4D01249DFDB14DFA8C984BEEBBF4EF48314F2482ADE415A7291CB745A04CBA1
                                    Function 00B2A4F0 Relevance: 7.6, APIs: 5, Instructions: 144COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B2A6C0: GetWindowLongW.USER32(?,000000F0), ref: 00B2A6E0
                                      • Part of subcall function 00B2A6C0: SetWindowLongW.USER32(?,000000F0,00C80000), ref: 00B2A70E
                                      • Part of subcall function 00B2A6C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00B2A53C), ref: 00B2A71F
                                      • Part of subcall function 00B2A6C0: GetWindowLongW.USER32(?,000000EC), ref: 00B2A753
                                      • Part of subcall function 00B2A6C0: SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B2A77F
                                      • Part of subcall function 00B2A6C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00B2A53C), ref: 00B2A796
                                      • Part of subcall function 00B2A6C0: GetWindowLongW.USER32(?,000000F0), ref: 00B2A7BA
                                      • Part of subcall function 00B2A6C0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B2A7D2
                                      • Part of subcall function 00B2A6C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00B2A53C), ref: 00B2A7E3
                                    • GetWindowRect.USER32(?,?), ref: 00B2A589
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00B2A5B0
                                    • GetWindowRect.USER32(?,00000000), ref: 00B2A5FB
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000604,?,00000000), ref: 00B2A632
                                    • SetWindowTextW.USER32(?,83C8296E), ref: 00B2A674
                                      • Part of subcall function 00B35A70: GetWindowLongW.USER32(?,000000F0), ref: 00B35AB7
                                      • Part of subcall function 00B35A70: GetParent.USER32 ref: 00B35ACD
                                      • Part of subcall function 00B35A70: GetWindowRect.USER32(?,?), ref: 00B35AD8
                                      • Part of subcall function 00B35A70: GetParent.USER32(?), ref: 00B35AE0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Long$Rect$Parent$Text
                                    • String ID:
                                    • API String ID: 1351983003-0
                                    • Opcode ID: 5a5c7b3471310ad9c5cd8e5e78e116461168fc64126e7cb549202c03f713550f
                                    • Instruction ID: d07c2474c0abed9cdf1867877ea1f3ee1a21792b8ed5eec25560ff251bd84246
                                    • Opcode Fuzzy Hash: 5a5c7b3471310ad9c5cd8e5e78e116461168fc64126e7cb549202c03f713550f
                                    • Instruction Fuzzy Hash: 5F513C71900609AFDB04DFA4DD85AEEFBB9FF08314F104365E819A3294EB71B955CBA0
                                    Function 00ADFD30 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ItemMessageSendWindow
                                    • String ID:
                                    • API String ID: 799199299-0
                                    • Opcode ID: 013539b1979fb1d07610240e66be30d293d86c9d15509db3bec5fa0958ac3c0e
                                    • Instruction ID: e3f36e2f3176dc6dbaa3cf733bfb67888d2e47d84a227cd5cf60f046811d825f
                                    • Opcode Fuzzy Hash: 013539b1979fb1d07610240e66be30d293d86c9d15509db3bec5fa0958ac3c0e
                                    • Instruction Fuzzy Hash: 6A4170322006019FD7188F55E894A67B7F9FB89311B04893BE54BC6672DB31ED51DB60
                                    Function 00BCCCA0 Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BCCCD4
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BCCCF6
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BCCD1E
                                    • std::_Facet_Register.LIBCPMT ref: 00BCCE07
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BCCE31
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                    • String ID:
                                    • API String ID: 459529453-0
                                    • Opcode ID: 2cf79104c46c6e8d538e8c9016c4624da1447634f6fcefd75d475ee944aa8456
                                    • Instruction ID: 95e1387242ef00d7472e979dfe7ce053f8093da4f51a7c16d7db21dbcdcce6b6
                                    • Opcode Fuzzy Hash: 2cf79104c46c6e8d538e8c9016c4624da1447634f6fcefd75d475ee944aa8456
                                    • Instruction Fuzzy Hash: 8251BE70900649DFCB24CF98C880BAEBFF0EB10314F2445ADE449AB381E775AA05CB91
                                    Function 00B27B30 Relevance: 7.6, APIs: 5, Instructions: 100threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00B27B59
                                    • CoInitializeEx.COMBASE(00000000,00000002), ref: 00B27B69
                                    • SendMessageW.USER32(?,000005FA,?,00000000), ref: 00B27C81
                                      • Part of subcall function 00B36100: EnterCriticalSection.KERNEL32(83C8296E,83C8296E), ref: 00B36140
                                      • Part of subcall function 00B36100: GetCurrentThreadId.KERNEL32 ref: 00B36153
                                      • Part of subcall function 00B36100: LeaveCriticalSection.KERNEL32(?), ref: 00B361D1
                                      • Part of subcall function 00B30200: SetLastError.KERNEL32(0000000E,?,00B288CB,?,?,?,?), ref: 00B30218
                                    • GetLastError.KERNEL32(?,?,00CFD550,00000000), ref: 00B27BF3
                                    • ShowWindow.USER32(?,0000000A,?,?,00CFD550,00000000), ref: 00B27C05
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalCurrentErrorLastSectionThread$EnterInitializeLeaveMessageSendShowWindow
                                    • String ID:
                                    • API String ID: 2782539745-0
                                    • Opcode ID: 7c185fa300b32f04724fe31691728572a1902d3d373e31f978f161cb65114fe5
                                    • Instruction ID: 8db43d652829ab55fca82e8a4d9b0466fa459ceaff6c9b110747c1d9f8731341
                                    • Opcode Fuzzy Hash: 7c185fa300b32f04724fe31691728572a1902d3d373e31f978f161cb65114fe5
                                    • Instruction Fuzzy Hash: 9431BE70D00358EBDB14DFA4D85ABEEBBF4EF10308F108599E415AB2D1DBB55A44CB91
                                    Function 00ADDB80 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$Init
                                    • String ID:
                                    • API String ID: 3740757921-0
                                    • Opcode ID: 0542b810c3be10a4e65e383cda42cf8fd45f4be7cb9284fd6df26749ec77bc2a
                                    • Instruction ID: 83a738503ad4315107029bcb38de63a4baabcf1d61e385501b8879f4817a9d56
                                    • Opcode Fuzzy Hash: 0542b810c3be10a4e65e383cda42cf8fd45f4be7cb9284fd6df26749ec77bc2a
                                    • Instruction Fuzzy Hash: 5E310771D05248EFDB01CFA8D944BDEBBB8EF49304F10859AE414E7291D7B5AA44CBA1
                                    Function 00B04A70 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B04ABA
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00B04AC0
                                    • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00B04AE3
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00C97786,000000FF), ref: 00B04B0B
                                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00C97786,000000FF), ref: 00B04B11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess$FormatMessage
                                    • String ID:
                                    • API String ID: 1606019998-0
                                    • Opcode ID: 5c3413ba6545ea9bdb5767e9098171c2a4b33fe61537bceee48d4d89918f621e
                                    • Instruction ID: 1807a874c5a7e6a2ecc1f2f6ce2e63743440e1108144ce3bd35858381874c078
                                    • Opcode Fuzzy Hash: 5c3413ba6545ea9bdb5767e9098171c2a4b33fe61537bceee48d4d89918f621e
                                    • Instruction Fuzzy Hash: F91160F0A44259ABEB10DF94DD46BAFBBFCEB04B04F104559F510A76C1D7B59A0487A0
                                    Function 00AF1090 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00AF109B
                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00AF10F8
                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00AF1147
                                    • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00AF1158
                                    • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00AF1165
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow
                                    • String ID:
                                    • API String ID: 312131281-0
                                    • Opcode ID: 2e5970e0754aa6da2d36f378f6c363663b8c36b4248e58a0060c88badc99796a
                                    • Instruction ID: acf190406c8126412bf88c0f4f398e716b8ca5a6ec63b7e19995ca785a5ee394
                                    • Opcode Fuzzy Hash: 2e5970e0754aa6da2d36f378f6c363663b8c36b4248e58a0060c88badc99796a
                                    • Instruction Fuzzy Hash: 5C215131918746A6E220DF51CD45B1ABBF1BFEE758F202B0EF1D4211A4E7F191C48E96
                                    Function 00AF6060 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 226windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                      • Part of subcall function 00BB2A60: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00AF0408,00000000,80004005), ref: 00BB2AC8
                                      • Part of subcall function 00BB2A60: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BB2AF8
                                    • SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00AF621D
                                    • SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00AF6234
                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 00AF6290
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$AllocateHeapWindow
                                    • String ID: QuickSelectionList
                                    • API String ID: 3168177373-3633591268
                                    • Opcode ID: e3f10f2551cc2aa228c463274a7c2e684d55f7c6017908034f25d581de462f3a
                                    • Instruction ID: 9ddb63f68fbf3e207c3293ea282fe5873f3ebad002adcf5d47b32f6b9d111af4
                                    • Opcode Fuzzy Hash: e3f10f2551cc2aa228c463274a7c2e684d55f7c6017908034f25d581de462f3a
                                    • Instruction Fuzzy Hash: D5819E71A002099FDB14DFA8C884BEAF7F5FF88314F104669F625A7291DB75AD04CBA0
                                    Function 00B29A90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BD1F70: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00BD1FB4
                                      • Part of subcall function 00BD1F70: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BD1FBF
                                    • GetCurrentThreadId.KERNEL32 ref: 00B29BFC
                                    • SendMessageW.USER32(?,00000127,00030003,00000000), ref: 00B29C85
                                    Strings
                                    • AI_HIDE_CAPTION_ICON_AND_TEXT_ALL, xrefs: 00B29B29
                                    • AI_HIDE_CAPTION_ICON_AND_TEXT, xrefs: 00B29BA0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$CurrentThread
                                    • String ID: AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
                                    • API String ID: 2377075789-1831360935
                                    • Opcode ID: 8d5c1e23b1e07ab00ce372ebcef832f14621fe9d2917174880e7e48d39fe8592
                                    • Instruction ID: e57f15ec2c4b1238ff4dcddade74d3e153da953380113ca3562c76b3bed81b27
                                    • Opcode Fuzzy Hash: 8d5c1e23b1e07ab00ce372ebcef832f14621fe9d2917174880e7e48d39fe8592
                                    • Instruction Fuzzy Hash: 88819231A00248DFCB05EF64D995B9DBBF5EF44300F1441E9E80AAB396DB74AE44CBA1
                                    Function 00B2C560 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00B2C59E
                                    • SetWindowPos.USER32(?,00000000,?,?,?,00000008,00000604), ref: 00B2C778
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Rect
                                    • String ID: AiDlgHeight$AiDlgWeight
                                    • API String ID: 3200805268-871102398
                                    • Opcode ID: 816eff69b75b168926b91ef25dca9d5ab487240b57e9928f0499d5ffd5b52040
                                    • Instruction ID: 333ed0fb441a18155eb21973c37970718706c47376b340e29d1e4b25dea1c0ab
                                    • Opcode Fuzzy Hash: 816eff69b75b168926b91ef25dca9d5ab487240b57e9928f0499d5ffd5b52040
                                    • Instruction Fuzzy Hash: F6617E71D00249DFCB14CFA8D945B9EBBF4EF48314F14826AE815AB391E774AA48CF91
                                    Function 00C106F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,83C8296E,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00C10724
                                      • Part of subcall function 00BD6130: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,80004005,?,?,?,00000000,00CCB90D,000000FF), ref: 00BD6148
                                      • Part of subcall function 00BD6130: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,?,80004005,?,?,?,00000000,00CCB90D,000000FF), ref: 00BD617A
                                      • Part of subcall function 00AE2A50: RaiseException.KERNEL32(83C8296E,83C8296E,00000000,00000000,00C1197B,C000008C,00000001,83C8296E), ref: 00AE2A5C
                                      • Part of subcall function 00AD9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateExceptionHeapObjectRaiseSingleWait
                                    • String ID: *.*$.jar$.pack
                                    • API String ID: 2917691982-3892993289
                                    • Opcode ID: 686e09144d6d059b6a5f7db48b69ec316ec661891aa3b04854a61d17656792f0
                                    • Instruction ID: 1c846d47ff98a939f8f99506c93d1977ae04ae30f4db0cf3f35ff087ea5bfd8f
                                    • Opcode Fuzzy Hash: 686e09144d6d059b6a5f7db48b69ec316ec661891aa3b04854a61d17656792f0
                                    • Instruction Fuzzy Hash: 9C514E70A0061ADBDB10DFA9C844BAEF7B4FF05314F248269E425EB2D1DB74E985DB90
                                    Function 00B35EC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(011FFA98,83C8296E,011FFA98), ref: 00B35F01
                                    • GetCurrentThreadId.KERNEL32 ref: 00B35F11
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00B35F37
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: adff48e803f995d59a3f98873d45b311b6545a6c62b46cc3cfe26c39935b7d89
                                    • Instruction ID: b6212a563f2dc2eef40de6cbc3c401a1204d20affb4050b9f1fff96942bf69fb
                                    • Opcode Fuzzy Hash: adff48e803f995d59a3f98873d45b311b6545a6c62b46cc3cfe26c39935b7d89
                                    • Instruction Fuzzy Hash: CB41E271900A16AFDB20CF58CD85BAAF7A8FB44314F208369E825D7281E731ED54CBE0
                                    Function 00AE2A70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00AE2AA6
                                    • EnterCriticalSection.KERNEL32(00D77250), ref: 00AE2AC6
                                    • LeaveCriticalSection.KERNEL32(00D77250), ref: 00AE2AEA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: 00a57e010e59126e612067481c321d0882b20a5805de2230e906efe9754439fb
                                    • Instruction ID: c19191daced707c1581f88fa9ba8d3b4fc984a104f25f3420f377b55a1fe61c5
                                    • Opcode Fuzzy Hash: 00a57e010e59126e612067481c321d0882b20a5805de2230e906efe9754439fb
                                    • Instruction Fuzzy Hash: D8219171908784DFDB20DF58DD45B8ABBE8FB09710F10866AF829D7781E7B5A504CBA0
                                    Function 00B36100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(83C8296E,83C8296E), ref: 00B36140
                                    • GetCurrentThreadId.KERNEL32 ref: 00B36153
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00B361D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: a9c534a06cf2ee9e8e64adf028dda092864ea291401828e9ab411ca69b1b8918
                                    • Instruction ID: 0efeb0dfca423985ca7ba17f292240ee9f9b8025b10eca04f74903fc2753e00e
                                    • Opcode Fuzzy Hash: a9c534a06cf2ee9e8e64adf028dda092864ea291401828e9ab411ca69b1b8918
                                    • Instruction Fuzzy Hash: 2E318B71900744DFDB11CF58C94579EBBF4EF08314F248169E895E73A2E3B5AA04CBA0
                                    Function 00B04EE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00B04F22
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00B04F28
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RoOriginateLanguageException$combase.dll
                                    • API String ID: 2574300362-3996158991
                                    • Opcode ID: 8947bbb0a7babd0b90b84628363218faf48abe04775a3262c848ce5f825a8d4e
                                    • Instruction ID: a35223cb4d8803cc2bc79b3fb9257590b6bfaabbf5e0b60fb4549271a2323eda
                                    • Opcode Fuzzy Hash: 8947bbb0a7babd0b90b84628363218faf48abe04775a3262c848ce5f825a8d4e
                                    • Instruction Fuzzy Hash: 133152B1904209EFDB11DFA4C945BEEBBF4FB04710F104569E924A72D0E7749A48CB91
                                    Function 00C03390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00C0152A,?,83C8296E,?,?,?,000000FF,?,00C00EF4), ref: 00C0339D
                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00C0152A,?,83C8296E,?,?,?,000000FF,?,00C00EF4,?), ref: 00C033BE
                                    • GetLastError.KERNEL32(?,83C8296E,?,?,?,000000FF,?,00C00EF4,?,?,00000000,00000000,83C8296E,?,?), ref: 00C0341E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CreateEvent$ErrorLast
                                    • String ID: AdvancedInstaller
                                    • API String ID: 1131763895-1372594473
                                    • Opcode ID: 50b94df293be2e1fee467f71cfa0403072c2c0ff55587a54974232e3fbfc01bc
                                    • Instruction ID: 16d1773fc2dac5170540a5232a6a2e56727d456b8127ece1b07d0ebf64fb79aa
                                    • Opcode Fuzzy Hash: 50b94df293be2e1fee467f71cfa0403072c2c0ff55587a54974232e3fbfc01bc
                                    • Instruction Fuzzy Hash: 60114971740742ABD721DB21CC89F5ABBA8FB88704F604424F6159B6D0DBB1EA52CBA0
                                    Function 00BB2970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BB2E80: __Init_thread_footer.LIBCMT ref: 00BB2F10
                                      • Part of subcall function 00BB2E80: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00BB2F4D
                                      • Part of subcall function 00BB2E80: __Init_thread_footer.LIBCMT ref: 00BB2F64
                                      • Part of subcall function 00BB2E80: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00BB2F8F
                                    • CreateWindowExW.USER32(80000000,SysListView32,?,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BB29C2
                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00BB29E0
                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00BB29E8
                                      • Part of subcall function 00AE0E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00AE0E96
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$Init_thread_footerWindow$AddressCreateLongProc
                                    • String ID: SysListView32
                                    • API String ID: 605634508-78025650
                                    • Opcode ID: bafcf0de2be01c74a6f190c8a84d3eecd2912cf1b3172d3862542e5f337b574a
                                    • Instruction ID: 846763db27d6e2cd23090d75b073387e42d6125329aa62f99a2af74279067379
                                    • Opcode Fuzzy Hash: bafcf0de2be01c74a6f190c8a84d3eecd2912cf1b3172d3862542e5f337b574a
                                    • Instruction Fuzzy Hash: 01117C31301310AFE6149F15DC05F6BFBAAEBC5750F014659FA48AB2A1C6B1E840CBA1
                                    Function 00AE27E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(00D77250), ref: 00AE281C
                                    • GetCurrentThreadId.KERNEL32 ref: 00AE2830
                                    • LeaveCriticalSection.KERNEL32(00D77250), ref: 00AE286F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: 5117f44f83b8b13799e095a61c45a55e5b79aae067eb9bd808158b22b8a2e3f7
                                    • Instruction ID: e9a0adb26957b907fba197718ac1a3c929b0b87e8a951608549874eebe64c21e
                                    • Opcode Fuzzy Hash: 5117f44f83b8b13799e095a61c45a55e5b79aae067eb9bd808158b22b8a2e3f7
                                    • Instruction Fuzzy Hash: 0D119331D08384DBCB20CF56D84475ABBB8EB55B24F14866EE82997791E7715904C7A0
                                    Function 00BB33D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(46030080,RichEdit20W,?,00000000,46030080,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00BB341B
                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00BB3433
                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00BB343B
                                      • Part of subcall function 00AE0E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00AE0E96
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$CreateLong
                                    • String ID: RichEdit20W
                                    • API String ID: 4015368215-4173859555
                                    • Opcode ID: dd5ea451ebfa7427af11ddc2cea5fa1a30c9bc3bc7675e7ef5b4849a1bef221a
                                    • Instruction ID: f47839a81d3d5197b87c736618b4a50f4b81a5a39d5ccf6cc07f595bfb5a5a20
                                    • Opcode Fuzzy Hash: dd5ea451ebfa7427af11ddc2cea5fa1a30c9bc3bc7675e7ef5b4849a1bef221a
                                    • Instruction Fuzzy Hash: A7015B31301310AFD6149F15DC04F5BFBAAFBC9B50F158519F908A73A0C6B1EC40CAA1
                                    Function 00B348F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 00B34941
                                    • GetParent.USER32(?), ref: 00B3494A
                                    • SendMessageW.USER32(?,00000411,00000000,?), ref: 00B3495F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Parent$MessageSend
                                    • String ID: ,
                                    • API String ID: 2251359880-3772416878
                                    • Opcode ID: 10075e428ba5d2f6cf1a0c04feab09fca55a2d992a2a8ce149ff00940c740401
                                    • Instruction ID: 6bea94a981e43ffc6126e65a24959e24573a445d1e5c1c2b9f1734d2a47801a1
                                    • Opcode Fuzzy Hash: 10075e428ba5d2f6cf1a0c04feab09fca55a2d992a2a8ce149ff00940c740401
                                    • Instruction Fuzzy Hash: ED118CB1505700AFD720DF28E844B1BFBE4FB89310F104A2AF599D2660D7B5E854CFA2
                                    Function 00BEB670 Relevance: 6.4, APIs: 4, Instructions: 438COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                      • Part of subcall function 00BEB460: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 00BEB48D
                                    • _wcsrchr.LIBVCRUNTIME ref: 00BEB6DE
                                    • _wcsrchr.LIBVCRUNTIME ref: 00BEB73E
                                    • _wcschr.LIBVCRUNTIME ref: 00BEB9D2
                                    • _wcschr.LIBVCRUNTIME ref: 00BEBA5F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer_wcschr_wcsrchr$FileHeapModuleNameProcess
                                    • String ID:
                                    • API String ID: 1360097548-0
                                    • Opcode ID: a672033a0d740719357e44f87be5c195f167fff764e0b0d4b4b6319549214da9
                                    • Instruction ID: 7db1b36d829667e2059026a9eec5d6531c166375e1495c3d62864831ecedc1ca
                                    • Opcode Fuzzy Hash: a672033a0d740719357e44f87be5c195f167fff764e0b0d4b4b6319549214da9
                                    • Instruction Fuzzy Hash: 55F1A271A00249DFDB10DFA9C895BAEBBF8EF44314F1482ADE915AB3D1DB709904CB91
                                    Function 00AF0270 Relevance: 6.3, APIs: 4, Instructions: 291windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00AF03B8
                                    • SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00AF03CD
                                      • Part of subcall function 00AD9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,?,00D6ACAC,?,00AE6B09,80004005,83C8296E,-00000010,?), ref: 00AD9B2A
                                      • Part of subcall function 00BB2A60: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00AF0408,00000000,80004005), ref: 00BB2AC8
                                      • Part of subcall function 00BB2A60: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BB2AF8
                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00AF0503
                                    • SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00AF05FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend$AllocateHeapWindow
                                    • String ID:
                                    • API String ID: 3168177373-0
                                    • Opcode ID: f37a5c5c3c3fdf8ef86693cb260481b6fb8a4a467b834e3200d8e7779cfaf383
                                    • Instruction ID: fb9959d11733462e2a8d3729a80f74164863239fd1ac7ec37a5887e0524cedeb
                                    • Opcode Fuzzy Hash: f37a5c5c3c3fdf8ef86693cb260481b6fb8a4a467b834e3200d8e7779cfaf383
                                    • Instruction Fuzzy Hash: 2FB17071A00609EFDB14CFA8C985FEEFBB5FF48314F104219E515AB291DBB5A944CBA0
                                    Function 00ADEFB0 Relevance: 6.3, APIs: 4, Instructions: 269memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 00ADF07A
                                    • SysFreeString.OLEAUT32(00000000), ref: 00ADF0C6
                                    • SysFreeString.OLEAUT32(00000000), ref: 00ADF0E8
                                    • SysFreeString.OLEAUT32(00000000), ref: 00ADF243
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: String$Free$Alloc
                                    • String ID:
                                    • API String ID: 986138563-0
                                    • Opcode ID: 62db24c039cb8820daca150025db07d2a89b472962530a2a821c2bb4a9f4de71
                                    • Instruction ID: 0d74ff954155690bb9edc545c171327f2ac0fb33873e8510089860b90b46c532
                                    • Opcode Fuzzy Hash: 62db24c039cb8820daca150025db07d2a89b472962530a2a821c2bb4a9f4de71
                                    • Instruction Fuzzy Hash: 80A15D71A00259DFDB14DFA8CC44BAFB7B8EF44714F10422AE616EB390E7749A05CB61
                                    Function 00AF8500 Relevance: 6.3, APIs: 4, Instructions: 268windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00AF85D8
                                    • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00AF8607
                                    • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00AF87CE
                                    • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00AF87F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 4c3f36690f96fb1c174ef6be69fcfb02557fdc981c22d2128051fe6e35129701
                                    • Instruction ID: 7b466cc2d0a1b854c7acdb27354729fcf50a37c2a22aaadd86fc15235eb5a872
                                    • Opcode Fuzzy Hash: 4c3f36690f96fb1c174ef6be69fcfb02557fdc981c22d2128051fe6e35129701
                                    • Instruction Fuzzy Hash: 04A16C71A00208DFCF15DFA8D985BEEB7B5BF48310F14456AF906AB291DB34E841CBA0
                                    Function 00AF4160 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: a0f5884f660da5cb753c40b453b8d304512a20738587aef052a054e50d3756e7
                                    • Instruction ID: 36675c151e2406a24fc250dd0f440eef50171185ee6b6259bd9dbf329e6e33ab
                                    • Opcode Fuzzy Hash: a0f5884f660da5cb753c40b453b8d304512a20738587aef052a054e50d3756e7
                                    • Instruction Fuzzy Hash: E2A17774900248DFCB10DFA8C984BEEBBB4FF58314F248269E505E7391E774AA45CBA5
                                    Function 00AF31F0 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: f0b10ad2c03a83fc43d3cc9a4efaf973aa52f691c1dd3f261932f9ead4191378
                                    • Instruction ID: 178dc7a3951dc13e6624ccf9532ce1050db2e68f5e13dde3e70b1de911bb4d55
                                    • Opcode Fuzzy Hash: f0b10ad2c03a83fc43d3cc9a4efaf973aa52f691c1dd3f261932f9ead4191378
                                    • Instruction Fuzzy Hash: 0681B031E00348DBDB10DFA8C944BAEFBB4EF55700F148259E915EB392E774AA45CB91
                                    Function 00AE4710 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                    Download Yara Rule
                                    APIs
                                    • SysFreeString.OLEAUT32(00000000), ref: 00AE47B0
                                    • SysFreeString.OLEAUT32(00000000), ref: 00AE47F1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: FreeString
                                    • String ID:
                                    • API String ID: 3341692771-0
                                    • Opcode ID: 254d00c1be930556143306a169a30bb325c49d357c31ceb84cf6efd7acd322bf
                                    • Instruction ID: 824254b79cfd890a19bdeb1768eb28046d0ce86c32471cfdf8691c9321ddf06f
                                    • Opcode Fuzzy Hash: 254d00c1be930556143306a169a30bb325c49d357c31ceb84cf6efd7acd322bf
                                    • Instruction Fuzzy Hash: 6A616D72A04659EFDB10CF59E844B9ABBB8FB48760F10816AEC15DB390D776DD10CBA0
                                    Function 00BFCDA0 Relevance: 6.2, APIs: 4, Instructions: 157registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.ADVAPI32(00000000,83C8296E), ref: 00BFCE16
                                    • _wcsrchr.LIBVCRUNTIME ref: 00BFCE40
                                    • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 00BFCEC3
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BFCF0F
                                      • Part of subcall function 00BFCCC0: RegOpenKeyExW.ADVAPI32(00000000,83C8296E,00000000,00020019,00000002,83C8296E,00000001,00000010,00000002,00BFC00C,83C8296E,00000000,?), ref: 00BFCD5C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Close$OpenQueryValue_wcsrchr
                                    • String ID:
                                    • API String ID: 213811329-0
                                    • Opcode ID: 4d5eefb4b6f01e2cda00547e50743740b50016d1f58981891a9d89b32edb5677
                                    • Instruction ID: b17506fe5179119ae98212cd269760f82de25d8cc233100620bd5343959c6a0b
                                    • Opcode Fuzzy Hash: 4d5eefb4b6f01e2cda00547e50743740b50016d1f58981891a9d89b32edb5677
                                    • Instruction Fuzzy Hash: 4C51EE7190534DABDB10CF68C944BAEBFB4EF40720F2482AAED14A73D1D7759A48CB90
                                    Function 00B6FEF0 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00B6FF82
                                    • GetWindowRect.USER32(?,?), ref: 00B6FF9A
                                    • GetWindowRect.USER32(?,?), ref: 00B70006
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00B7002A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Rect$Long
                                    • String ID:
                                    • API String ID: 3486571012-0
                                    • Opcode ID: 93a917544ad0cce0314255a82e58334dfee72e601bc751d1abd0b8fd6144a79c
                                    • Instruction ID: 70f040835b07714f053cdbed0c4503983a614bab83ab6bf653dd1127e0c3a975
                                    • Opcode Fuzzy Hash: 93a917544ad0cce0314255a82e58334dfee72e601bc751d1abd0b8fd6144a79c
                                    • Instruction Fuzzy Hash: E841AE32A087059FC710CF24E884A6FB7E8FF99705F04462EF989D7211E730E9858B62
                                    Function 00AECF60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(83C8296E,83C8296E,?), ref: 00AECF9F
                                    • EnterCriticalSection.KERNEL32(?,83C8296E,?), ref: 00AECFAC
                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00AED083
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: ace970ed3f214f62de86084c87aa6f4fbee884503381a67caa2c5deb2bae1c1f
                                    • Instruction ID: dc631fccb3c57b2e786e9fe91fbc427087cda4bd9dda2a407e58291f4d4ae893
                                    • Opcode Fuzzy Hash: ace970ed3f214f62de86084c87aa6f4fbee884503381a67caa2c5deb2bae1c1f
                                    • Instruction Fuzzy Hash: D24106742007858FCB21DF39D940BAABBB1EF45320F144569E897D7392CB71AD16CBA0
                                    Function 00BED570 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,?,00000000,00000000), ref: 00BED5CF
                                    • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00BED5DC
                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00BED5F9
                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00BED61B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: 6438ffccd57d9dd0f4ab68134549c60e5218a888926d9e4676b8bc3532266fdb
                                    • Instruction ID: 3b81b25b671ad1d90c5d9d95a9abdffdc73ee1c818a5c842334fdec09a239c0a
                                    • Opcode Fuzzy Hash: 6438ffccd57d9dd0f4ab68134549c60e5218a888926d9e4676b8bc3532266fdb
                                    • Instruction Fuzzy Hash: BF2122B67403067BE7105F56EC82F6A77ACEB54B44F200129FA059B2C0E7F17E058AA4
                                    Function 00B263F8 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                    Download Yara Rule
                                    APIs
                                    • MulDiv.KERNEL32(00000010,?,00000060), ref: 00B26432
                                    • GetWindowRect.USER32(?,?), ref: 00B26481
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00B264AA
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,?,00000060), ref: 00B2653C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$LongRect
                                    • String ID:
                                    • API String ID: 463821813-0
                                    • Opcode ID: 0721755f27c42b5711185459b2fd4a9721325ee2c961714e8d50f09d1606c160
                                    • Instruction ID: a2f4551fe239b4ed2ef096d529c0572672b554367b5134641d5e13ec27d16fe6
                                    • Opcode Fuzzy Hash: 0721755f27c42b5711185459b2fd4a9721325ee2c961714e8d50f09d1606c160
                                    • Instruction Fuzzy Hash: 60412E71108745AFD741DF29E885A6ABBB4FF89300F004619F99593260E771A895CB62
                                    Function 00BD6130 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,80004005,?,?,?,00000000,00CCB90D,000000FF), ref: 00BD6148
                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,?,80004005,?,?,?,00000000,00CCB90D,000000FF), ref: 00BD617A
                                    • GetStdHandle.KERNEL32(000000F5,?,83C8296E,00000000,00C8E9A0,000000FF,?,80070057,?,-00000001,?,?,?,80004005,?,?), ref: 00BD61E6
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,83C8296E,00000000,00C8E9A0,000000FF,?,80070057,?,-00000001,?,?,?,80004005,?,?), ref: 00BD61ED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AttributeConsoleHandleText
                                    • String ID:
                                    • API String ID: 3849414675-0
                                    • Opcode ID: 0baf9c2dba20f495978574c81890162d98eb7f06f812985e26fb7d075efdae89
                                    • Instruction ID: 1a5c451da142e757f868ab1ba2e83aab437a64efef666865c4958dd36a2e5179
                                    • Opcode Fuzzy Hash: 0baf9c2dba20f495978574c81890162d98eb7f06f812985e26fb7d075efdae89
                                    • Instruction Fuzzy Hash: 4921C636304255AFDB109B59DC89F5EF7A9EB85721F20426EF626DB3D0CB316801CB64
                                    Function 00B299A0 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 00B29A2F
                                    • GetParent.USER32(00000000), ref: 00B29A37
                                    • GetParent.USER32(00000000), ref: 00B29A3C
                                    • SendMessageW.USER32(00000000,0000037F,00000000,?), ref: 00B29A4D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Parent$MessageSend
                                    • String ID:
                                    • API String ID: 2251359880-0
                                    • Opcode ID: ace25ed4f8276cb5a34ab329d98a6c14e62a870a972d66dda86cc3a6558671e0
                                    • Instruction ID: 20853f8affaa7dbcf5df05b3de38209bce4e24e92192bc7240da033ecc70b063
                                    • Opcode Fuzzy Hash: ace25ed4f8276cb5a34ab329d98a6c14e62a870a972d66dda86cc3a6558671e0
                                    • Instruction Fuzzy Hash: B521B032200225AFDB109B28FC84EAAF7D9EF52724F0445A6F50DC2264EB31EDD18765
                                    Function 00AE8AF0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000FC,00000000), ref: 00AE8B39
                                    • GetParent.USER32(?), ref: 00AE8B6D
                                      • Part of subcall function 00C667B8: GetProcessHeap.KERNEL32(00000008,00000008,?,00AE0E77,?,?,00AE0C24,?), ref: 00C667BD
                                      • Part of subcall function 00C667B8: HeapAlloc.KERNEL32(00000000,?,?,00AE0C24,?), ref: 00C667C4
                                    • SetWindowLongW.USER32(?,000000EB), ref: 00AE8BA0
                                    • ShowWindow.USER32(?,00000000), ref: 00AE8BB6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$HeapLong$AllocParentProcessShow
                                    • String ID:
                                    • API String ID: 78937335-0
                                    • Opcode ID: 810debdc397d4299c0ac9a43c1487d7f4de88b7ba887a921fb4749300250adc1
                                    • Instruction ID: 0c652fdd647d0726322762aa153791ac0d953a250b14fad906497bcb5c83708f
                                    • Opcode Fuzzy Hash: 810debdc397d4299c0ac9a43c1487d7f4de88b7ba887a921fb4749300250adc1
                                    • Instruction Fuzzy Hash: C2215074504B019FC720EF39D845E2BBBE8FF49715B404A2DF49AC2661EB74E844CB61
                                    Function 00AECD90 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(?,83C8296E), ref: 00AECDFA
                                    • EnterCriticalSection.KERNEL32(?,83C8296E), ref: 00AECE07
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00AECE58
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: c982958e7dbc3e10d69545d72c26ef820637563611a02d62b0a39fac2aa548c5
                                    • Instruction ID: b0a078fd4b0f3a32514b7aeb29f44dc5823b5c79a7bb5d27e0fc084e2a090253
                                    • Opcode Fuzzy Hash: c982958e7dbc3e10d69545d72c26ef820637563611a02d62b0a39fac2aa548c5
                                    • Instruction Fuzzy Hash: 8421B2369002859FDF11CF64D845BEABBB4FB16324F5405A9EC59AB382D732590ACBA0
                                    Function 00AECE80 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(?,83C8296E), ref: 00AECEEA
                                    • EnterCriticalSection.KERNEL32(?,83C8296E), ref: 00AECEF7
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00AECF3E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: 77f47bfe4ec4fe9bf2d85ae222f67073b17477ce67eba4ea116ccf1124288aca
                                    • Instruction ID: a980b79b83c4213a86b59df5fbd367b9d0537095d7a510a23788b60fbd880e02
                                    • Opcode Fuzzy Hash: 77f47bfe4ec4fe9bf2d85ae222f67073b17477ce67eba4ea116ccf1124288aca
                                    • Instruction Fuzzy Hash: F221BD729002859FDF11CF64D844BA9BBB4FF15324F5045A9EC59AB382D7319905CBA0
                                    Function 00AECCD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(?,83C8296E,?), ref: 00AECD2D
                                    • EnterCriticalSection.KERNEL32(?,83C8296E,?), ref: 00AECD3A
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00AECD62
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: 76effcdb19a934ec2d2c8d571c67b725b3876300f21977e29da126e0436a7add
                                    • Instruction ID: 783085b12d86a00b16c46d1da2b84d87f8fa70d263463ddf61e00f93e8c999d3
                                    • Opcode Fuzzy Hash: 76effcdb19a934ec2d2c8d571c67b725b3876300f21977e29da126e0436a7add
                                    • Instruction Fuzzy Hash: DE21D6769042859FCF11CF64DC80BEABF74EB56334F5005B9D859AB381C7325A0ACBA0
                                    Function 00C12070 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(00000001,?,83C8296E,?,?,00000000,Function_001BE7D0,000000FF,?,00C12058,00000000,80004005,?,?,00BF485D,?), ref: 00C120A7
                                    • GetExitCodeThread.KERNEL32(00000001,00C12058,?,?,00000000,Function_001BE7D0,000000FF), ref: 00C120C1
                                    • TerminateThread.KERNEL32(00000001,00000000,?,?,00000000,Function_001BE7D0,000000FF), ref: 00C120D9
                                    • CloseHandle.KERNEL32(00000001,?,?,00000000,Function_001BE7D0,000000FF,?,00C12058,00000000,80004005,?,?,00BF485D,?,83C8296E,?), ref: 00C120E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
                                    • String ID:
                                    • API String ID: 3774109050-0
                                    • Opcode ID: 3e158bd97cf3011f46f9f4486ebc5921cfe6f7457d088dfa765269837be7f046
                                    • Instruction ID: 7d7390f5af8489c0452e79a32ae3f2f6affe66168c375546c64d1ac212c47d7f
                                    • Opcode Fuzzy Hash: 3e158bd97cf3011f46f9f4486ebc5921cfe6f7457d088dfa765269837be7f046
                                    • Instruction Fuzzy Hash: D601B575500749EFCB208F54DC49BAAB7F8FB09710F008A2DE835D26A0D7B1AD90CB50
                                    Function 00ADD8F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00ADD966
                                    • SendMessageW.USER32(?,00000000,00000000), ref: 00ADDA62
                                      • Part of subcall function 00ADF1A0: SysFreeString.OLEAUT32(00000000), ref: 00ADF243
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CreateFreeMessageSendStringWindow
                                    • String ID: AtlAxWin140
                                    • API String ID: 4045344427-3842940177
                                    • Opcode ID: 381c1257c7bfcb9fa9853983d16f00165aa6d3079956c1a5e721c76462a74c8c
                                    • Instruction ID: 547c183d647c318e5d59619b8614d875025a25a648ccf2c8fc14bc431a7f221e
                                    • Opcode Fuzzy Hash: 381c1257c7bfcb9fa9853983d16f00165aa6d3079956c1a5e721c76462a74c8c
                                    • Instruction Fuzzy Hash: 0F910574600209EFDB14DF68C888B6ABBB9FF49714F1085A9F91A9B3A0D771E905CB50
                                    Function 00B3EF10 Relevance: 5.4, APIs: 4, Instructions: 419memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00B3F126
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00B3F12C
                                      • Part of subcall function 00B40AC0: GetProcessHeap.KERNEL32(?,?,83C8296E,00000000), ref: 00B40B7A
                                      • Part of subcall function 00B40AC0: HeapFree.KERNEL32(00000000,?,?,83C8296E,00000000), ref: 00B40B80
                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B3F337
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B3F33D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: a537b146c3c5473c7f53377d518d9ba8f385fa09fdfb782865beb9d2eb23e363
                                    • Instruction ID: 4953a974de4fdf8a5a66f8d7d28fa901ea132e03401bda0b3035e42629d6edb4
                                    • Opcode Fuzzy Hash: a537b146c3c5473c7f53377d518d9ba8f385fa09fdfb782865beb9d2eb23e363
                                    • Instruction Fuzzy Hash: EEF15A70D00249DFDB14DFA8C949BAEBBF4FF05314F2442A9E415AB291DB75AE08CB91
                                    Function 00C083E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AD9E20: GetProcessHeap.KERNEL32 ref: 00AD9E75
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9EA7
                                      • Part of subcall function 00AD9E20: __Init_thread_footer.LIBCMT ref: 00AD9F32
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00CD240F,000000FF), ref: 00C08563
                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00CD240F,000000FF), ref: 00C085F1
                                    Strings
                                    • << Advanced Installer (x86) Log >>, xrefs: 00C084CF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                    • String ID: << Advanced Installer (x86) Log >>
                                    • API String ID: 3699736680-396061572
                                    • Opcode ID: d7dc3e7532664b7ba26ea91cbf0c393b39c0e24a01d4ea9a8f40f4aaa82702aa
                                    • Instruction ID: d0f1dea72c1e75c9967e182158cd6c251f75384ed172e703425eec947d59cfc9
                                    • Opcode Fuzzy Hash: d7dc3e7532664b7ba26ea91cbf0c393b39c0e24a01d4ea9a8f40f4aaa82702aa
                                    • Instruction Fuzzy Hash: 9661CF70905685DFDB00CFA8D944B9ABBF4FF45314F1482ADE458DB392EB749A48CBA0
                                    Function 00B1D0F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C67112: EnterCriticalSection.KERNEL32(00D75CD8,-00000010,?,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?), ref: 00C6711D
                                      • Part of subcall function 00C67112: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9EC6,00D76904,83C8296E,?,?,00C8EF2D,000000FF,?,00AE6A8F,83C8296E,-00000010,?,?,00000008), ref: 00C6715A
                                    • __Init_thread_footer.LIBCMT ref: 00B1D24D
                                      • Part of subcall function 00C670C8: EnterCriticalSection.KERNEL32(00D75CD8,?,?,00AD9F37,00D76904,00CE7320), ref: 00C670D2
                                      • Part of subcall function 00C670C8: LeaveCriticalSection.KERNEL32(00D75CD8,?,00AD9F37,00D76904,00CE7320), ref: 00C67105
                                      • Part of subcall function 00C670C8: RtlWakeAllConditionVariable.NTDLL ref: 00C6717C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID: ItemData$Windows.UI.Xaml.Controls.ListViewItem
                                    • API String ID: 2296764815-2445763458
                                    • Opcode ID: c14788c494e8edb250333bc6dd04bfaadb0888ebdc99fe8b6c83a9af4dc65677
                                    • Instruction ID: e130958c6ab4fb724645db900047523ef868447e3d812c7f5fd80b8f583717e7
                                    • Opcode Fuzzy Hash: c14788c494e8edb250333bc6dd04bfaadb0888ebdc99fe8b6c83a9af4dc65677
                                    • Instruction Fuzzy Hash: 8A71A0B0905349EFDB01CFA8D944BDEBBF0BB14304F1486A9E414672C1D7B96A48DBA2
                                    Function 00BC4AB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathIsUNCW.SHLWAPI(?,83C8296E), ref: 00BC4B51
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Path
                                    • String ID: \\?\$\\?\UNC\
                                    • API String ID: 2875597873-3019864461
                                    • Opcode ID: 1b2cf442f3d4238752bb238036ea6b8a9a57f28cf314df3613e68427e61033f4
                                    • Instruction ID: bae511458ede05c8ce29b98a5528f96c149af2c4bfe81296a552a698074a9730
                                    • Opcode Fuzzy Hash: 1b2cf442f3d4238752bb238036ea6b8a9a57f28cf314df3613e68427e61033f4
                                    • Instruction Fuzzy Hash: 8F51C0709006049BDB14DF68D895FAEF7F4FF84304F10865DE812A7391DB75AA48CBA1
                                    Function 00AE7200 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.ADVAPI32(00000000,00000000,?,00000002,00CF438C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,83C8296E), ref: 00AE7370
                                      • Part of subcall function 00BBEBE0: GetModuleHandleW.KERNEL32(Advapi32.dll,83C8296E,?,?,?,00000000,?,Function_001BEE20,000000FF), ref: 00BBEC23
                                    • CloseHandle.KERNEL32(?,83C8296E), ref: 00AE73A9
                                    Strings
                                    • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00AE7268
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: CloseHandle$Module
                                    • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
                                    • API String ID: 1412095732-2431777889
                                    • Opcode ID: 557b30de046205b123c3ab28ea1af870de65e5d23808e227823e5e423b53af43
                                    • Instruction ID: 6b74f1990774070ed0c77539a70b956d5662c156a5d44dee462603ecd162ee1d
                                    • Opcode Fuzzy Hash: 557b30de046205b123c3ab28ea1af870de65e5d23808e227823e5e423b53af43
                                    • Instruction Fuzzy Hash: 14516A70D04288EEDF24DFA4C949BDEBBB4FF14704F508199E455B7281DBB46A48CBA1
                                    Function 00BD8250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,83C8296E,00D0A83C), ref: 00BD82A8
                                    • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00BD83B2
                                      • Part of subcall function 00BCAA10: std::locale::_Init.LIBCPMT ref: 00BCAAED
                                      • Part of subcall function 00BC81D0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00BC82A5
                                    Strings
                                    • Failed to get Windows error message [win32 error 0x, xrefs: 00BD82C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
                                    • String ID: Failed to get Windows error message [win32 error 0x
                                    • API String ID: 1983821583-3373098694
                                    • Opcode ID: 48509e0f4e775276364217367ceec55175ea4b6a914e48248cdd5e133b45afd8
                                    • Instruction ID: 7881187f81b2cc3c9d31c5e195fed73e98a6d94e50178112fbb6fdd935ad6998
                                    • Opcode Fuzzy Hash: 48509e0f4e775276364217367ceec55175ea4b6a914e48248cdd5e133b45afd8
                                    • Instruction Fuzzy Hash: 70415F71A003099BDB10DF58C909B9FBBF8EF44714F144599E459AB391DBB49A08CB91
                                    Function 00C22EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenEventW.KERNEL32(00000000,00000000,00000001,_pbl_evt,00000008,?,?,00D0B440,00000001,83C8296E,00000000), ref: 00C22F9E
                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00C22FBB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Event$CreateOpen
                                    • String ID: _pbl_evt
                                    • API String ID: 2335040897-4023232351
                                    • Opcode ID: 857a1237f0a6c1d0470b31a96aa96f5f7ad2cc704a239fabba00ec41624e6317
                                    • Instruction ID: 640fdbdcbf23f04e1b6b46afef5ba64af4ab59a81d50e3a8b3e5134e15fbae6d
                                    • Opcode Fuzzy Hash: 857a1237f0a6c1d0470b31a96aa96f5f7ad2cc704a239fabba00ec41624e6317
                                    • Instruction Fuzzy Hash: 48313C71D04218EFDB10DFA8D955BDEB7B4EF04714F508119E911B72C0EB746A09CBA1
                                    Function 00BC7770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BC779B
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BC77FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                    • String ID: bad locale name
                                    • API String ID: 3988782225-1405518554
                                    • Opcode ID: 9221321113a67dc426ac15e60897a70df777643d6c3f62d2801d3a8e969e769c
                                    • Instruction ID: 85f0c452ab66be69319421d1b415eb9f0afba80b28bb073095e088c6a0e037a5
                                    • Opcode Fuzzy Hash: 9221321113a67dc426ac15e60897a70df777643d6c3f62d2801d3a8e969e769c
                                    • Instruction Fuzzy Hash: F821E070A05784DFD720CF68C804B4ABFE4EF15300F14869DE445C7782D7B5AA04DBA1
                                    Function 00B3E3B0 Relevance: 5.3, APIs: 4, Instructions: 316memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00B3E62B
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00B3E631
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00B3E700
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00B3E706
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: d1a38c5bf4910c98f9918b88831c6c7ff78a717f76547729198cff88c1177e32
                                    • Instruction ID: 391c76d1927c15c02d1d9ec0fe4256012945e5c59231adfb9d76cd1c7ccee96b
                                    • Opcode Fuzzy Hash: d1a38c5bf4910c98f9918b88831c6c7ff78a717f76547729198cff88c1177e32
                                    • Instruction Fuzzy Hash: 05D16C70900248DFDB14DFA8C994BEEBBF5FF54304F2441AAD415AB291DB70AE49CB91
                                    Function 00AF14E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000005), ref: 00AF1554
                                    Strings
                                    • D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00AF1529
                                    • d, xrefs: 00AF1520
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Parent
                                    • String ID: D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                    • API String ID: 975332729-3547446826
                                    • Opcode ID: 5f86532482624e1828981b155a7d3d21718c7360ba13aac7be9ea7b61cdb61d9
                                    • Instruction ID: f37dc700590a03151305170dc8c1327a39eb7f25323f39aab7206aa287d35b10
                                    • Opcode Fuzzy Hash: 5f86532482624e1828981b155a7d3d21718c7360ba13aac7be9ea7b61cdb61d9
                                    • Instruction Fuzzy Hash: C0212774D05298EEDF04CFE4D948BDDBBB1BF15308F108098E006AB395D7B95A08CB92
                                    Function 00ADD349 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00ADD395
                                    • d, xrefs: 00ADD389
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: 13dcc44ddd0041cad227542d3e044693bb33c26930ae44ca5eab7de56165f789
                                    • Instruction ID: 31abf1f37692418e3647f585ad5a02fa10c8469c6fd9f4f75747b5c7073957c6
                                    • Opcode Fuzzy Hash: 13dcc44ddd0041cad227542d3e044693bb33c26930ae44ca5eab7de56165f789
                                    • Instruction Fuzzy Hash: 90210874D05298EEDB04DFE4E9587DEBBB1BF14304F108098E005AB395D7B95A09CB92
                                    Function 00ADCF7B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00ADCFC4
                                    • d, xrefs: 00ADCFBB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: 6b90c98e4066cfce14c3bafd8158ccc18ef71370867b3c0f314e356f8811ebab
                                    • Instruction ID: b3f0c64e7b744166017cf3a8211507b4db46f09424cffff448c90936e23ca4b6
                                    • Opcode Fuzzy Hash: 6b90c98e4066cfce14c3bafd8158ccc18ef71370867b3c0f314e356f8811ebab
                                    • Instruction Fuzzy Hash: 3221D874D05298EEDB04DFE4E9587DEBBB1BF15304F108098E005AB395D7B95A08CB92
                                    Function 00AF15AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(0000000D), ref: 00AF161B
                                    Strings
                                    • D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00AF15EE
                                    • d, xrefs: 00AF15E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Parent
                                    • String ID: D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                    • API String ID: 975332729-3547446826
                                    • Opcode ID: 500217bad2b6855ffc819be76b1039ccc46f026906a7d73446b096fcef418bf2
                                    • Instruction ID: 10d596fc703826c90d8e735c0202a66c4c99e0eb534629e4be6094e8bf1c201c
                                    • Opcode Fuzzy Hash: 500217bad2b6855ffc819be76b1039ccc46f026906a7d73446b096fcef418bf2
                                    • Instruction Fuzzy Hash: D1212474D00288EEDF04DFE4D958B9DBFB1BF14308F508098E005AB395D7B95A09DB92
                                    Function 00ADD412 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00ADD459
                                    • d, xrefs: 00ADD44D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: 0b929576884e45bc02298f1d84ff0477688bf03f587f4643b5876b3b3c8ae195
                                    • Instruction ID: 2e71d9d8e4d48541f99b320c274fa54cadec9503b8be7119bb259bb215e31a96
                                    • Opcode Fuzzy Hash: 0b929576884e45bc02298f1d84ff0477688bf03f587f4643b5876b3b3c8ae195
                                    • Instruction Fuzzy Hash: AE214470D04288EEDF04DFE4D958BDEBBB1BF14308F108198E0056B395DBB84A09DB92
                                    Function 00ADD03F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00ADD083
                                    • d, xrefs: 00ADD07A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: 0bd948c4ce74b8a3c7beaceb415378111feeb28fababfaf2cbfc8541cf6c74a5
                                    • Instruction ID: a49453d2ae7276f722ca7f1ef7353120496e3b610ceabaa650cd1c3629fe6c58
                                    • Opcode Fuzzy Hash: 0bd948c4ce74b8a3c7beaceb415378111feeb28fababfaf2cbfc8541cf6c74a5
                                    • Instruction Fuzzy Hash: 32210374D05298EEDB04DFE4E958BDEBBB1AF14308F108098E0056B395DBB94A09DB62
                                    Function 00B31310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B3136F
                                    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00B2FEE9,00000000,83C8296E,?,?), ref: 00B31388
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Window$Create
                                    • String ID: tooltips_class32
                                    • API String ID: 870168347-1918224756
                                    • Opcode ID: 5ed8912a60a9250d5f57fd6516b9a12fbc9ea835b2534ab00e5439822387a00d
                                    • Instruction ID: e342d9f2d16701a9093f5e965749769d92866c340f54a6bf2270c5a8db6eed8e
                                    • Opcode Fuzzy Hash: 5ed8912a60a9250d5f57fd6516b9a12fbc9ea835b2534ab00e5439822387a00d
                                    • Instruction Fuzzy Hash: 3E01F0313803127AF7648B64EC0AFA63298D740B45F308229BB08FD1D0E6E6AA61C618
                                    Function 00AF1671 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000013), ref: 00AF16A4
                                    Strings
                                    • D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00AF1689
                                    • Unknown exception, xrefs: 00AF1679
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Parent
                                    • String ID: D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                    • API String ID: 975332729-3529215713
                                    • Opcode ID: 3bc1152122b9f92dda7d06017a5e4b38a0e1204fa6dcf2dbd3145c55a892dc7b
                                    • Instruction ID: 9a672e2ac0d9da6e41b43be363fd2656eb76b61db20f92d6ef126745b713d813
                                    • Opcode Fuzzy Hash: 3bc1152122b9f92dda7d06017a5e4b38a0e1204fa6dcf2dbd3145c55a892dc7b
                                    • Instruction Fuzzy Hash: A5016134D0528CEFCB04DBE4C919ADDBFB1AF55304F548098E0026B396D7B45A08DBA2
                                    Function 00ADD4D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Unknown exception, xrefs: 00ADD4E0
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00ADD4F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                    • API String ID: 2558294473-1308700304
                                    • Opcode ID: 983b97851ad73fa3cf35094f9c817b3a7bfbf8881c5335bbed41162e4b308979
                                    • Instruction ID: 1cc583130f398a2dc71f4b7e1ba67f577a6f7289520a25aa52fcf259fb827ab4
                                    • Opcode Fuzzy Hash: 983b97851ad73fa3cf35094f9c817b3a7bfbf8881c5335bbed41162e4b308979
                                    • Instruction Fuzzy Hash: C9018034D0528CEBCB05EBE4C915ADEBBB16F55300F508198D002AB386EBB45A08DB92
                                    Function 00ADD100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Unknown exception, xrefs: 00ADD108
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00ADD118
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                    • API String ID: 2558294473-1308700304
                                    • Opcode ID: 4745d12a79e4a348d342d4d28b41650adbc75595ff2d8812a245e13d8a2c3ce4
                                    • Instruction ID: 92ee914b60cbdcff52f1145bb76a94d0fecb8c0846a6f07fa50f935634020478
                                    • Opcode Fuzzy Hash: 4745d12a79e4a348d342d4d28b41650adbc75595ff2d8812a245e13d8a2c3ce4
                                    • Instruction Fuzzy Hash: C7014034D0528CEBCB05DBE4D919ADEBFB16F55304F544099D002AB385DBB45A08D7A2
                                    Function 00B11EB0 Relevance: 5.2, APIs: 4, Instructions: 235memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00B120B1
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00B120B7
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00B12143
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00B12149
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: dae5ffde3965806f2aeff008f64f7a3be304fe836e6229c96dd04c622179c59c
                                    • Instruction ID: aab4c391324abb7b94778927ac38b392bfc4d6f84feb86356224aec0b29b439c
                                    • Opcode Fuzzy Hash: dae5ffde3965806f2aeff008f64f7a3be304fe836e6229c96dd04c622179c59c
                                    • Instruction Fuzzy Hash: 0691DEB0D01248EFDB15DFA8D949BEEBBF4FF44314F104299E411A7291DB70AA85CBA0
                                    Function 00B10CD0 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?,?,?), ref: 00B10E11
                                    • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B10E17
                                    • GetProcessHeap.KERNEL32(?,?,?,?), ref: 00B10EA3
                                    • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B10EA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184042430.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                    • Associated: 00000000.00000002.2184026332.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184332024.0000000000CE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184384079.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184400323.0000000000D74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184429505.0000000000D75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2184445439.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ad0000_65X4tr6fyX.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: ccba205768447c8a3186088925b57212418c5db6fb59720a469c47abf0652a57
                                    • Instruction ID: 062d6fe87d72d0ead2159b34f62d54c820685bf4eb0d1e33584eeed8b5b84870
                                    • Opcode Fuzzy Hash: ccba205768447c8a3186088925b57212418c5db6fb59720a469c47abf0652a57
                                    • Instruction Fuzzy Hash: 4861EFB1D11248EFDF15EFA4D944BEEBBF5EF04310F5045A9E401A7281DBB4AA85CBA0